mirror of
https://github.com/openvk/openvk
synced 2025-07-07 00:09:48 +03:00
Compare commits
7 commits
55455c21c5
...
b784c963d2
| Author | SHA1 | Date | |
|---|---|---|---|
|
b784c963d2 | ||
|
|
3e44516095 | ||
|
|
9079df9646 | ||
|
|
636a9e5b67 | ||
|
|
c3b1e46909 | ||
|
a3634c19cf | ||
|
|
9714d0f036 |
16 changed files with 159 additions and 110 deletions
|
|
@ -21,13 +21,7 @@ final class Audio extends VKAPIRequestHandler
|
|||
$this->fail(201, "Access denied to audio(" . $audio->getId() . ")");
|
||||
}
|
||||
|
||||
# рофлан ебало
|
||||
$privApi = $hash && $GLOBALS["csrfCheck"];
|
||||
$audioObj = $audio->toVkApiStruct($this->getUser());
|
||||
if (!$privApi) {
|
||||
$audioObj->manifest = false;
|
||||
$audioObj->keys = false;
|
||||
}
|
||||
|
||||
if ($need_user) {
|
||||
$user = (new \openvk\Web\Models\Repositories\Users())->get($audio->getOwner()->getId());
|
||||
|
|
|
|||
|
|
@ -620,10 +620,6 @@ final class Wall extends VKAPIRequestHandler
|
|||
return (object) ["post_id" => $post->getVirtualId()];
|
||||
}
|
||||
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->getUser(), "wall.post", false)) {
|
||||
$this->failTooOften();
|
||||
}
|
||||
|
||||
$anon = OPENVK_ROOT_CONF["openvk"]["preferences"]["wall"]["anonymousPosting"]["enable"];
|
||||
if ($wallOwner instanceof Club && $from_group == 1 && $signed != 1 && $anon) {
|
||||
$manager = $wallOwner->getManager($this->getUser());
|
||||
|
|
@ -717,6 +713,10 @@ final class Wall extends VKAPIRequestHandler
|
|||
$post->setSuggested(1);
|
||||
}
|
||||
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->getUser(), "wall.post")) {
|
||||
$this->failTooOften();
|
||||
}
|
||||
|
||||
$post->save();
|
||||
} catch (\LogicException $ex) {
|
||||
$this->fail(100, "One of the parameters specified was missing or invalid");
|
||||
|
|
@ -730,8 +730,6 @@ final class Wall extends VKAPIRequestHandler
|
|||
(new WallPostNotification($wallOwner, $post, $this->getUser()))->emit();
|
||||
}
|
||||
|
||||
\openvk\Web\Util\EventRateLimiter::i()->writeEvent("wall.post", $this->getUser(), $wallOwner);
|
||||
|
||||
return (object) ["post_id" => $post->getVirtualId()];
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,12 +6,42 @@ namespace openvk\Web\Models\Entities;
|
|||
|
||||
use HTMLPurifier_Config;
|
||||
use HTMLPurifier;
|
||||
use HTMLPurifier_Filter;
|
||||
|
||||
class SecurityFilter extends HTMLPurifier_Filter
|
||||
{
|
||||
public function preFilter($html, $config, $context)
|
||||
{
|
||||
$html = preg_replace_callback(
|
||||
'/<img[^>]*src\s*=\s*["\']([^"\']*)["\'][^>]*>/i',
|
||||
function ($matches) {
|
||||
$originalSrc = $matches[1];
|
||||
$src = $originalSrc;
|
||||
|
||||
if (OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true) {
|
||||
if (!str_contains($src, "/image.php?url=")) {
|
||||
$src = '/image.php?url=' . base64_encode($originalSrc);
|
||||
} /*else {
|
||||
$src = preg_replace_callback('/(.*)\/image\.php\?url=(.*)/i', function ($matches) {
|
||||
return base64_decode($matches[2]);
|
||||
}, $src);
|
||||
}*/
|
||||
}
|
||||
|
||||
return str_replace($originalSrc, $src, $matches[0]);
|
||||
},
|
||||
$html
|
||||
);
|
||||
|
||||
return $html;
|
||||
}
|
||||
}
|
||||
|
||||
class Note extends Postable
|
||||
{
|
||||
protected $tableName = "notes";
|
||||
|
||||
protected function renderHTML(): string
|
||||
protected function renderHTML(?string $content = null): string
|
||||
{
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set("Attr.AllowedClasses", []);
|
||||
|
|
@ -78,16 +108,19 @@ class Note extends Postable
|
|||
$config->set("Attr.AllowedClasses", [
|
||||
"underline",
|
||||
]);
|
||||
$config->set('Filter.Custom', [new SecurityFilter()]);
|
||||
|
||||
$source = null;
|
||||
if (is_null($this->getRecord())) {
|
||||
if (isset($this->changes["source"])) {
|
||||
$source = $this->changes["source"];
|
||||
$source = $content;
|
||||
if (!$source) {
|
||||
if (is_null($this->getRecord())) {
|
||||
if (isset($this->changes["source"])) {
|
||||
$source = $this->changes["source"];
|
||||
} else {
|
||||
throw new \LogicException("Can't render note without content set.");
|
||||
}
|
||||
} else {
|
||||
throw new \LogicException("Can't render note without content set.");
|
||||
$source = $this->getRecord()->source;
|
||||
}
|
||||
} else {
|
||||
$source = $this->getRecord()->source;
|
||||
}
|
||||
|
||||
$purifier = new HTMLPurifier($config);
|
||||
|
|
@ -117,7 +150,7 @@ class Note extends Postable
|
|||
$this->save();
|
||||
}
|
||||
|
||||
return $cached;
|
||||
return $this->renderHTML($cached);
|
||||
}
|
||||
|
||||
public function getSource(): string
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ trait TSubscribable
|
|||
"target" => $this->getId(),
|
||||
];
|
||||
$sub = $ctx->table("subscriptions")->where($data);
|
||||
|
||||
if (!($sub->fetch())) {
|
||||
$ctx->table("subscriptions")->insert($data);
|
||||
|
||||
|
|
|
|||
|
|
@ -114,7 +114,6 @@ class User extends RowModel
|
|||
|
||||
public function getChandlerUser(): ChandlerUser
|
||||
{
|
||||
# TODO cache this function
|
||||
return new ChandlerUser($this->getRecord()->ref("ChandlerUsers", "user"));
|
||||
}
|
||||
|
||||
|
|
@ -1740,41 +1739,51 @@ class User extends RowModel
|
|||
return DatabaseConnection::i()->getContext()->table("blacklist_relations")->where("author", $this->getId())->count();
|
||||
}
|
||||
|
||||
public function recieveEventsData(array $list): array
|
||||
public function getEventCounters(array $list): array
|
||||
{
|
||||
$count_of_keys = sizeof(array_keys($list));
|
||||
$ev_str = $this->getRecord()->events_counters;
|
||||
$values = [];
|
||||
$counters = [];
|
||||
|
||||
if (!$ev_str) {
|
||||
for ($i = 0; $i < sizeof(array_keys($list)); $i++) {
|
||||
$values[] = 0;
|
||||
$counters[] = 0;
|
||||
}
|
||||
} else {
|
||||
$keys = array_keys($list);
|
||||
$values = unpack("S*", base64_decode($ev_str));
|
||||
$counters = unpack("S" . $count_of_keys, base64_decode($ev_str, true));
|
||||
}
|
||||
|
||||
return [
|
||||
'counters' => $values,
|
||||
'counters' => array_combine(array_keys($list), $counters),
|
||||
'refresh_time' => $this->getRecord()->events_refresh_time,
|
||||
];
|
||||
}
|
||||
|
||||
public function stateEvents(array $list): void
|
||||
public function stateEvents(array $state_list): void
|
||||
{
|
||||
$this->stateChanges("events_counters", base64_encode(pack("S*", array_values($list))));
|
||||
$pack_str = "";
|
||||
|
||||
foreach ($state_list as $item => $id) {
|
||||
$pack_str .= "S";
|
||||
}
|
||||
|
||||
$this->stateChanges("events_counters", base64_encode(pack($pack_str, ...array_values($state_list))));
|
||||
|
||||
if (!$this->getRecord()->events_refresh_time) {
|
||||
$this->stateChanges("events_refresh_time", time());
|
||||
}
|
||||
}
|
||||
|
||||
public function resetEvents(array $list, int $restriction_length)
|
||||
public function resetEvents(array $list): void
|
||||
{
|
||||
$values = [];
|
||||
|
||||
for ($i = 0; $i < sizeof(array_keys($list)); $i++) {
|
||||
$values[] = 0;
|
||||
foreach ($list as $key => $val) {
|
||||
$values[$key] = 0;
|
||||
}
|
||||
|
||||
$this->stateEvents($values);
|
||||
$this->stateChanges("events_refresh_time", $restriction_length + time());
|
||||
$this->stateChanges("events_refresh_time", time());
|
||||
$this->save();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ final class GiftsPresenter extends OpenVKPresenter
|
|||
return;
|
||||
}
|
||||
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "gifts.send", false)) {
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "gifts.send")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -63,15 +63,15 @@ final class GroupPresenter extends OpenVKPresenter
|
|||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
if (!empty($this->postParam("name")) && mb_strlen(trim($this->postParam("name"))) > 0) {
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.create")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
|
||||
$club = new Club();
|
||||
$club->setName($this->postParam("name"));
|
||||
$club->setAbout(empty($this->postParam("about")) ? null : $this->postParam("about"));
|
||||
$club->setOwner($this->user->id);
|
||||
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.create")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
|
||||
try {
|
||||
$club->save();
|
||||
} catch (\PDOException $ex) {
|
||||
|
|
@ -108,6 +108,12 @@ final class GroupPresenter extends OpenVKPresenter
|
|||
$this->flashFail("err", tr("error"), tr("forbidden"));
|
||||
}
|
||||
|
||||
if (!$club->getSubscriptionStatus($this->user->identity)) {
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.sub")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
}
|
||||
|
||||
$club->toggleSubscription($this->user->identity);
|
||||
|
||||
$this->redirect($club->getURL());
|
||||
|
|
|
|||
|
|
@ -176,4 +176,26 @@ final class InternalAPIPresenter extends OpenVKPresenter
|
|||
exit('');
|
||||
}
|
||||
}
|
||||
|
||||
public function renderImageFilter()
|
||||
{
|
||||
$is_enabled = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true;
|
||||
$allowed_hosts = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["allowedHosts"] ?? [];
|
||||
|
||||
$url = $this->requestParam("url");
|
||||
$url = base64_decode($url);
|
||||
|
||||
if (!$is_enabled) {
|
||||
$this->redirect($url);
|
||||
}
|
||||
|
||||
$url_parsed = parse_url($url);
|
||||
$host = $url_parsed['host'];
|
||||
|
||||
if (in_array($host, $allowed_hosts)) {
|
||||
$this->redirect($url);
|
||||
} else {
|
||||
$this->redirect('/assets/packages/static/openvk/img/fn_placeholder.jpg');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -418,6 +418,12 @@ final class UserPresenter extends OpenVKPresenter
|
|||
if ($this->postParam("act") == "rej") {
|
||||
$user->changeFlags($this->user->identity, 0b10000000, true);
|
||||
} else {
|
||||
if ($user->getSubscriptionStatus($this->user->identity) == \openvk\Web\Models\Entities\User::SUBSCRIPTION_ABSENT) {
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "friends.outgoing_sub")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
}
|
||||
|
||||
$user->toggleSubscription($this->user->identity);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -356,6 +356,10 @@ final class WallPresenter extends OpenVKPresenter
|
|||
$this->flashFail("err", tr("failed_to_publish_post"), tr("post_is_empty_or_too_big"));
|
||||
}
|
||||
|
||||
if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "wall.post")) {
|
||||
$this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
|
||||
}
|
||||
|
||||
$should_be_suggested = $wall < 0 && !$wallOwner->canBeModifiedBy($this->user->identity) && $wallOwner->getWallType() == 2;
|
||||
try {
|
||||
$post = new Post();
|
||||
|
|
|
|||
|
|
@ -385,8 +385,8 @@
|
|||
<tr>
|
||||
<td class="e">
|
||||
Vladimir Barinov (veselcraft), Celestora, Konstantin Kichulkin (kosfurler),
|
||||
Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana and
|
||||
Jillian Österreich (Lumaeris)
|
||||
Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana,
|
||||
Jillian Österreich (Lumaeris) and MrIlyew (V00d00 M4g1c)
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
@ -472,7 +472,7 @@
|
|||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
{*<table>
|
||||
<tbody>
|
||||
<tr class="h">
|
||||
<th>OpenVK QA Team</th>
|
||||
|
|
@ -486,7 +486,7 @@
|
|||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</table>*}
|
||||
|
||||
<hr/>
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@
|
|||
|
||||
{if !is_null($thisUser) && !is_null($club ?? NULL) && $owner < 0}
|
||||
{if $club->canBeModifiedBy($thisUser)}
|
||||
{var $anonHide = true}
|
||||
|
||||
<script>
|
||||
function onWallAsGroupClick(el) {
|
||||
document.querySelector("#forceSignOpt").style.display = el.checked ? "block" : "none";
|
||||
|
|
@ -41,7 +43,7 @@
|
|||
{/if}
|
||||
{/if}
|
||||
|
||||
<label n:if="$anonEnabled" id="octoberAnonOpt" style="display: none;">
|
||||
<label n:if="$anonEnabled" id="octoberAnonOpt" {if $anonHide}style="display: none;"{/if}>
|
||||
<input type="checkbox" name="anon" /> {_as_anonymous}
|
||||
</label>
|
||||
|
||||
|
|
|
|||
|
|
@ -13,28 +13,29 @@ class EventRateLimiter
|
|||
use TSimpleSingleton;
|
||||
|
||||
private $config;
|
||||
private $availableFields;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->config = OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"];
|
||||
|
||||
$this->availableFields = array_keys($this->config['list']);
|
||||
}
|
||||
|
||||
/*
|
||||
Checks count of actions for last hours
|
||||
|
||||
Uses config path OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"]
|
||||
|
||||
Returns:
|
||||
|
||||
true — limit has exceed and the action must be restricted
|
||||
|
||||
false — the action can be performed
|
||||
*/
|
||||
public function tryToLimit(?User $user, string $event_type, bool $distinct = true): bool
|
||||
public function tryToLimit(?User $user, string $event_type, bool $is_update = true): bool
|
||||
{
|
||||
|
||||
/*
|
||||
Checks count of actions for last x seconds.
|
||||
|
||||
Uses OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"]
|
||||
|
||||
This check should be peformed only after checking other conditions cuz by default it increments counter
|
||||
|
||||
Returns:
|
||||
|
||||
true — limit has exceed and the action must be restricted
|
||||
|
||||
false — the action can be performed
|
||||
*/
|
||||
|
||||
$isEnabled = $this->config['enable'];
|
||||
$isIgnoreForAdmins = $this->config['ignoreForAdmins'];
|
||||
$restrictionTime = $this->config['restrictionTime'];
|
||||
|
|
@ -48,75 +49,45 @@ class EventRateLimiter
|
|||
return false;
|
||||
}
|
||||
|
||||
$eventsStats = $user->getEventCounters($eventsList);
|
||||
$limitForThatEvent = $eventsList[$event_type];
|
||||
$stat = $this->getEvent($event_type, $user);
|
||||
bdump($stat);
|
||||
|
||||
$is_restrict_over = $stat["refresh_time"] < time() - $restrictionTime;
|
||||
$counters = $eventsStats["counters"];
|
||||
$refresh_time = $eventsStats["refresh_time"];
|
||||
$is_restrict_over = $refresh_time < (time() - $restrictionTime);
|
||||
$event_counter = $counters[$event_type];
|
||||
|
||||
if ($is_restrict_over) {
|
||||
$user->resetEvents($eventsList, $restrictionTime);
|
||||
if ($refresh_time && $is_restrict_over) {
|
||||
$user->resetEvents($eventsList);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
$is = $stat["compared"] > $limitForThatEvent;
|
||||
$is_limit_exceed = $event_counter >= $limitForThatEvent;
|
||||
|
||||
if ($is === false) {
|
||||
$this->incrementEvent($event_type, $user);
|
||||
if (!$is_limit_exceed && $is_update) {
|
||||
$this->incrementEvent($counters, $event_type, $user);
|
||||
}
|
||||
|
||||
return $is;
|
||||
return $is_limit_exceed;
|
||||
}
|
||||
|
||||
public function getEvent(string $event_type, User $by_user): array
|
||||
{
|
||||
$ev_data = $by_user->recieveEventsData($this->config['list']);
|
||||
$values = $ev_data['counters'];
|
||||
$i = 0;
|
||||
|
||||
$compared = [];
|
||||
bdump($values);
|
||||
|
||||
foreach ($this->config['list'] as $name => $value) {
|
||||
bdump($value);
|
||||
$compared[$name] = $values[$i];
|
||||
$i += 1;
|
||||
}
|
||||
|
||||
return [
|
||||
"compared" => $compared,
|
||||
"refresh_time" => $ev_data["refresh_time"]
|
||||
];
|
||||
}
|
||||
|
||||
/*
|
||||
Updates counter for user
|
||||
*/
|
||||
public function incrementEvent(string $event_type, User $initiator): bool
|
||||
public function incrementEvent(array $old_values, string $event_type, User $initiator): bool
|
||||
{
|
||||
/*
|
||||
Updates counter for user
|
||||
*/
|
||||
$isEnabled = $this->config['enable'];
|
||||
$eventsList = OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"];
|
||||
$eventsList = $this->config['list'];
|
||||
|
||||
if (!$isEnabled) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$ev_data = $initiator->recieveEventsData($eventsList);
|
||||
$values = $ev_data['counters'];
|
||||
$i = 0;
|
||||
$old_values[$event_type] += 1;
|
||||
|
||||
$compared = [];
|
||||
|
||||
foreach ($eventsList as $name => $value) {
|
||||
$compared[$name] = $values[$i];
|
||||
$i += 1;
|
||||
}
|
||||
|
||||
$compared[$event_type] += 1;
|
||||
|
||||
bdump($compared);
|
||||
$initiator->stateEvents($compared);
|
||||
$initiator->stateEvents($old_values);
|
||||
$initiator->save();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -413,6 +413,8 @@ routes:
|
|||
handler: "InternalAPI->getPhotosFromPost"
|
||||
- url: "/iapi/getPostTemplate/{num}_{num}"
|
||||
handler: "InternalAPI->getPostTemplate"
|
||||
- url: "/image.php"
|
||||
handler: "InternalAPI->imageFilter"
|
||||
- url: "/tour"
|
||||
handler: "About->tour"
|
||||
- url: "/fave"
|
||||
|
|
|
|||
BIN
Web/static/img/fn_placeholder.jpg
Normal file
BIN
Web/static/img/fn_placeholder.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
|
|
@ -50,7 +50,7 @@ openvk:
|
|||
groups.sub: 50
|
||||
friends.outgoing_sub: 25
|
||||
wall.post: 5000
|
||||
gifts.send: 20
|
||||
gifts.send: 30
|
||||
blacklists:
|
||||
limit: 100
|
||||
applyToAdmins: true
|
||||
|
|
@ -70,6 +70,9 @@ openvk:
|
|||
exposeOriginalURLs: true
|
||||
newsfeed:
|
||||
ignoredSourcesLimit: 50
|
||||
notes:
|
||||
disableHotlinking: true
|
||||
allowedHosts: []
|
||||
wall:
|
||||
christian: false
|
||||
anonymousPosting:
|
||||
|
|
|
|||
Loading…
Reference in a new issue