thallada/panic-shack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitize chat input

Browse Source 
Don't let someone send a chat message with "^C" and kill the server.
This commit is contained in:
Tyler Hallada 2018-03-27 15:58:33 -04:00
parent 095de45d54
commit 21caa3f7a1
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
chat/server.py
View File

@ -1,5 +1,7 @@
import logging import logging
import shlex
import subprocess import subprocess
import unicodedata
from flask import Flask, request from flask import Flask, request
@ -12,6 +14,11 @@ def setup_logging():
app.logger.setLevel(logging.INFO) app.logger.setLevel(logging.INFO)
def sanitize_input(input):
input = "".join(ch for ch in input if unicodedata.category(ch)[0] != "C")
return shlex.quote(input.replace('^', ''))
@app.route('/chat/', methods=['POST']) @app.route('/chat/', methods=['POST'])
def send_chat(): def send_chat():
if request.method == 'POST': if request.method == 'POST':
@ -20,11 +27,17 @@ def send_chat():
if not request.form.get('say-text', None): if not request.form.get('say-text', None):
return 'No message to send!', 422 return 'No message to send!', 422
if request.form.get('say-username', None): if request.form.get('say-username', None):
subprocess.call(['/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff', subprocess.call([
'/say [{}]: {}\015'.format(request.form['say-username'], request.form['say-text'])]) '/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
'/say [{}]: {}\015'.format(
sanitize_input(request.form['say-username']),
sanitize_input(request.form['say-text']))
])
else: else:
subprocess.call(['/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff', subprocess.call([
'/say {}\015'.format(request.form['say-text'])]) '/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
'/say {}\015'.format(sanitize_input(request.form['say-text']))
])
return 'Sending chat: ' + request.form.get('say-username', '') + ': ' + request.form['say-text'] return 'Sending chat: ' + request.form.get('say-username', '') + ': ' + request.form['say-text']
if __name__ == "__main__": if __name__ == "__main__":