Merge 3e44516095 into a3634c19cf

Переиначенный #942, но в нём картинка скачивалась с сервера, в этом в
конфиге задаётся список разрешённых хостов и затем идёт редирект если
ссылка прошла проверку. Если не прошла то редиректает на заглушку.
Впрочем, это не поможет если в конфиге не указан cdn, но по крайней мере
не будет приколов с автозапуском методов на основном сайте

После мержа в конфиг добавьте kaslana.ovk.to


![image](https://github.com/user-attachments/assets/6f72add7-1d9f-4ca8-8938-3e00be5b61f7)

---------

Co-authored-by: n1rwana <93197434+n1rwana@users.noreply.github.com>

VKAPI/Handlers/Audio.php

@@ -21,13 +21,7 @@ final class Audio extends VKAPIRequestHandler
             $this->fail(201, "Access denied to audio(" . $audio->getId() . ")");
         }
 
-        # рофлан ебало
-        $privApi  = $hash && $GLOBALS["csrfCheck"];
         $audioObj = $audio->toVkApiStruct($this->getUser());
-        if (!$privApi) {
-            $audioObj->manifest = false;
-            $audioObj->keys     = false;
-        }
 
         if ($need_user) {
             $user = (new \openvk\Web\Models\Repositories\Users())->get($audio->getOwner()->getId());

VKAPI/Handlers/Wall.php

@@ -620,10 +620,6 @@ final class Wall extends VKAPIRequestHandler
             return (object) ["post_id" => $post->getVirtualId()];
         }
 
-        if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->getUser(), "wall.post", false)) {
-            $this->failTooOften();
-        }
-
         $anon = OPENVK_ROOT_CONF["openvk"]["preferences"]["wall"]["anonymousPosting"]["enable"];
         if ($wallOwner instanceof Club && $from_group == 1 && $signed != 1 && $anon) {
             $manager = $wallOwner->getManager($this->getUser());
@@ -717,6 +713,10 @@ final class Wall extends VKAPIRequestHandler
                 $post->setSuggested(1);
             }
 
+            if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->getUser(), "wall.post")) {
+                $this->failTooOften();
+            }
+
             $post->save();
         } catch (\LogicException $ex) {
             $this->fail(100, "One of the parameters specified was missing or invalid");
@@ -730,8 +730,6 @@ final class Wall extends VKAPIRequestHandler
             (new WallPostNotification($wallOwner, $post, $this->getUser()))->emit();
         }
 
-        \openvk\Web\Util\EventRateLimiter::i()->writeEvent("wall.post", $this->getUser(), $wallOwner);
-
         return (object) ["post_id" => $post->getVirtualId()];
     }
 

Web/Models/Entities/Note.php

@@ -6,12 +6,42 @@ namespace openvk\Web\Models\Entities;
 
 use HTMLPurifier_Config;
 use HTMLPurifier;
+use HTMLPurifier_Filter;
+
+class SecurityFilter extends HTMLPurifier_Filter
+{
+    public function preFilter($html, $config, $context)
+    {
+        $html = preg_replace_callback(
+            '/<img[^>]*src\s*=\s*["\']([^"\']*)["\'][^>]*>/i',
+            function ($matches) {
+                $originalSrc = $matches[1];
+                $src = $originalSrc;
+
+                if (OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true) {
+                    if (!str_contains($src, "/image.php?url=")) {
+                        $src = '/image.php?url=' . base64_encode($originalSrc);
+                    } /*else {
+                        $src = preg_replace_callback('/(.*)\/image\.php\?url=(.*)/i', function ($matches) {
+                            return base64_decode($matches[2]);
+                        }, $src);
+                    }*/
+                }
+
+                return str_replace($originalSrc, $src, $matches[0]);
+            },
+            $html
+        );
+
+        return $html;
+    }
+}
 
 class Note extends Postable
 {
     protected $tableName = "notes";
 
-    protected function renderHTML(): string
+    protected function renderHTML(?string $content = null): string
     {
         $config = HTMLPurifier_Config::createDefault();
         $config->set("Attr.AllowedClasses", []);
@@ -78,16 +108,19 @@ class Note extends Postable
         $config->set("Attr.AllowedClasses", [
             "underline",
         ]);
+        $config->set('Filter.Custom', [new SecurityFilter()]);
 
-        $source = null;
+        $source = $content;
-        if (is_null($this->getRecord())) {
+        if (!$source) {
-            if (isset($this->changes["source"])) {
+            if (is_null($this->getRecord())) {
-                $source = $this->changes["source"];
+                if (isset($this->changes["source"])) {
+                    $source = $this->changes["source"];
+                } else {
+                    throw new \LogicException("Can't render note without content set.");
+                }
             } else {
-                throw new \LogicException("Can't render note without content set.");
+                $source = $this->getRecord()->source;
             }
-        } else {
-            $source = $this->getRecord()->source;
         }
 
         $purifier = new HTMLPurifier($config);
@@ -117,7 +150,7 @@ class Note extends Postable
             $this->save();
         }
 
-        return $cached;
+        return $this->renderHTML($cached);
     }
 
     public function getSource(): string

Web/Models/Entities/Traits/TSubscribable.php

@@ -34,7 +34,6 @@ trait TSubscribable
             "target"   => $this->getId(),
         ];
         $sub  = $ctx->table("subscriptions")->where($data);
-
         if (!($sub->fetch())) {
             $ctx->table("subscriptions")->insert($data);
 

Web/Models/Entities/User.php

@@ -114,7 +114,6 @@ class User extends RowModel
 
     public function getChandlerUser(): ChandlerUser
     {
-        # TODO cache this function
         return new ChandlerUser($this->getRecord()->ref("ChandlerUsers", "user"));
     }
 
@@ -1740,41 +1739,51 @@ class User extends RowModel
         return DatabaseConnection::i()->getContext()->table("blacklist_relations")->where("author", $this->getId())->count();
     }
 
-    public function recieveEventsData(array $list): array
+    public function getEventCounters(array $list): array
     {
+        $count_of_keys = sizeof(array_keys($list));
         $ev_str = $this->getRecord()->events_counters;
-        $values = [];
+        $counters = [];
 
         if (!$ev_str) {
             for ($i = 0; $i < sizeof(array_keys($list)); $i++) {
-                $values[] = 0;
+                $counters[] = 0;
             }
         } else {
-            $keys = array_keys($list);
+            $counters = unpack("S" . $count_of_keys, base64_decode($ev_str, true));
-            $values = unpack("S*", base64_decode($ev_str));
         }
 
         return [
-            'counters' => $values,
+            'counters' => array_combine(array_keys($list), $counters),
             'refresh_time' => $this->getRecord()->events_refresh_time,
         ];
     }
 
-    public function stateEvents(array $list): void
+    public function stateEvents(array $state_list): void
     {
-        $this->stateChanges("events_counters", base64_encode(pack("S*", array_values($list))));
+        $pack_str = "";
+
+        foreach ($state_list as $item => $id) {
+            $pack_str .= "S";
+        }
+
+        $this->stateChanges("events_counters", base64_encode(pack($pack_str, ...array_values($state_list))));
+
+        if (!$this->getRecord()->events_refresh_time) {
+            $this->stateChanges("events_refresh_time", time());
+        }
     }
 
-    public function resetEvents(array $list, int $restriction_length)
+    public function resetEvents(array $list): void
     {
         $values = [];
 
-        for ($i = 0; $i < sizeof(array_keys($list)); $i++) {
+        foreach ($list as $key => $val) {
-            $values[] = 0;
+            $values[$key] = 0;
         }
 
         $this->stateEvents($values);
-        $this->stateChanges("events_refresh_time", $restriction_length + time());
+        $this->stateChanges("events_refresh_time", time());
         $this->save();
     }
 }

Web/Presenters/GiftsPresenter.php

@@ -106,7 +106,7 @@ final class GiftsPresenter extends OpenVKPresenter
             return;
         }
 
-        if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "gifts.send", false)) {
+        if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "gifts.send")) {
             $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
         }
 

Web/Presenters/GroupPresenter.php

@@ -63,15 +63,15 @@ final class GroupPresenter extends OpenVKPresenter
 
         if ($_SERVER["REQUEST_METHOD"] === "POST") {
             if (!empty($this->postParam("name")) && mb_strlen(trim($this->postParam("name"))) > 0) {
-                if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.create")) {
-                    $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
-                }
-
                 $club = new Club();
                 $club->setName($this->postParam("name"));
                 $club->setAbout(empty($this->postParam("about")) ? null : $this->postParam("about"));
                 $club->setOwner($this->user->id);
 
+                if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.create")) {
+                    $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
+                }
+
                 try {
                     $club->save();
                 } catch (\PDOException $ex) {
@@ -108,6 +108,12 @@ final class GroupPresenter extends OpenVKPresenter
             $this->flashFail("err", tr("error"), tr("forbidden"));
         }
 
+        if (!$club->getSubscriptionStatus($this->user->identity)) {
+            if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "groups.sub")) {
+                $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
+            }
+        }
+
         $club->toggleSubscription($this->user->identity);
 
         $this->redirect($club->getURL());

Web/Presenters/InternalAPIPresenter.php

@@ -176,4 +176,26 @@ final class InternalAPIPresenter extends OpenVKPresenter
             exit('');
         }
     }
+
+    public function renderImageFilter()
+    {
+        $is_enabled = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true;
+        $allowed_hosts = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["allowedHosts"] ?? [];
+
+        $url = $this->requestParam("url");
+        $url = base64_decode($url);
+
+        if (!$is_enabled) {
+            $this->redirect($url);
+        }
+
+        $url_parsed = parse_url($url);
+        $host = $url_parsed['host'];
+
+        if (in_array($host, $allowed_hosts)) {
+            $this->redirect($url);
+        } else {
+            $this->redirect('/assets/packages/static/openvk/img/fn_placeholder.jpg');
+        }
+    }
 }

Web/Presenters/UserPresenter.php

@@ -418,6 +418,12 @@ final class UserPresenter extends OpenVKPresenter
         if ($this->postParam("act") == "rej") {
             $user->changeFlags($this->user->identity, 0b10000000, true);
         } else {
+            if ($user->getSubscriptionStatus($this->user->identity) == \openvk\Web\Models\Entities\User::SUBSCRIPTION_ABSENT) {
+                if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "friends.outgoing_sub")) {
+                    $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
+                }
+            }
+
             $user->toggleSubscription($this->user->identity);
         }
 

Web/Presenters/WallPresenter.php

@@ -356,6 +356,10 @@ final class WallPresenter extends OpenVKPresenter
             $this->flashFail("err", tr("failed_to_publish_post"), tr("post_is_empty_or_too_big"));
         }
 
+        if (\openvk\Web\Util\EventRateLimiter::i()->tryToLimit($this->user->identity, "wall.post")) {
+            $this->flashFail("err", tr("error"), tr("limit_exceed_exception"));
+        }
+
         $should_be_suggested = $wall < 0 && !$wallOwner->canBeModifiedBy($this->user->identity) && $wallOwner->getWallType() == 2;
         try {
             $post = new Post();

Web/Presenters/templates/About/Version.xml

@@ -385,8 +385,8 @@
                 <tr>
                     <td class="e">
                         Vladimir Barinov (veselcraft), Celestora, Konstantin Kichulkin (kosfurler),
-                        Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana and
+                        Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana,
-                        Jillian Österreich (Lumaeris)
+                        Jillian Österreich (Lumaeris) and MrIlyew (V00d00 M4g1c)
                     </td>
                 </tr>
             </tbody>
@@ -472,7 +472,7 @@
             </tbody>
         </table>
 
-        <table>
+        {*<table>
             <tbody>
                 <tr class="h">
                     <th>OpenVK QA Team</th>
@@ -486,7 +486,7 @@
                     </td>
                 </tr>
             </tbody>
-        </table>
+        </table>*}
 
         <hr/>
 

Web/Presenters/templates/components/textArea.xml

@@ -22,6 +22,8 @@
 
                 {if !is_null($thisUser) && !is_null($club ?? NULL) && $owner < 0}
                     {if $club->canBeModifiedBy($thisUser)}
+                        {var $anonHide = true}
+
                         <script>
                             function onWallAsGroupClick(el) {
                                 document.querySelector("#forceSignOpt").style.display = el.checked ? "block" : "none";
@@ -41,7 +43,7 @@
                     {/if}
                 {/if}
                 
-                <label n:if="$anonEnabled" id="octoberAnonOpt" style="display: none;">
+                <label n:if="$anonEnabled" id="octoberAnonOpt" {if $anonHide}style="display: none;"{/if}>
                     <input type="checkbox" name="anon" /> {_as_anonymous}
                 </label>
                 

Web/Util/EventRateLimiter.php

@@ -13,28 +13,29 @@ class EventRateLimiter
     use TSimpleSingleton;
 
     private $config;
-    private $availableFields;
 
     public function __construct()
     {
         $this->config = OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"];
-
-        $this->availableFields = array_keys($this->config['list']);
     }
 
-    /* 
+    public function tryToLimit(?User $user, string $event_type, bool $is_update = true): bool
-    Checks count of actions for last hours
-
-    Uses config path OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"]
-
-    Returns:
-
-    true — limit has exceed and the action must be restricted
-
-    false — the action can be performed
-    */
-    public function tryToLimit(?User $user, string $event_type, bool $distinct = true): bool
     {
+
+        /* 
+        Checks count of actions for last x seconds.
+
+        Uses OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"]
+
+        This check should be peformed only after checking other conditions cuz by default it increments counter
+
+        Returns:
+
+        true — limit has exceed and the action must be restricted
+
+        false — the action can be performed
+        */
+
         $isEnabled = $this->config['enable'];
         $isIgnoreForAdmins = $this->config['ignoreForAdmins'];
         $restrictionTime = $this->config['restrictionTime'];
@@ -48,75 +49,45 @@ class EventRateLimiter
             return false;
         }
 
+        $eventsStats = $user->getEventCounters($eventsList);
         $limitForThatEvent = $eventsList[$event_type];
-        $stat = $this->getEvent($event_type, $user);
-        bdump($stat);
 
-        $is_restrict_over = $stat["refresh_time"] < time() - $restrictionTime;
+        $counters = $eventsStats["counters"];
+        $refresh_time = $eventsStats["refresh_time"];
+        $is_restrict_over = $refresh_time < (time() - $restrictionTime);
+        $event_counter = $counters[$event_type];
 
-        if ($is_restrict_over) {
+        if ($refresh_time && $is_restrict_over) {
-            $user->resetEvents($eventsList, $restrictionTime);
+            $user->resetEvents($eventsList);
 
             return false;
         }
 
-        $is = $stat["compared"] > $limitForThatEvent;
+        $is_limit_exceed = $event_counter >= $limitForThatEvent;
 
-        if ($is === false) {
+        if (!$is_limit_exceed && $is_update) {
-            $this->incrementEvent($event_type, $user);
+            $this->incrementEvent($counters, $event_type, $user);
         }
 
-        return $is;
+        return $is_limit_exceed;
     }
 
-    public function getEvent(string $event_type, User $by_user): array
+    public function incrementEvent(array $old_values, string $event_type, User $initiator): bool
-    {
-        $ev_data = $by_user->recieveEventsData($this->config['list']);
-        $values  = $ev_data['counters'];
-        $i = 0;
-
-        $compared = [];
-        bdump($values);
-
-        foreach ($this->config['list'] as $name => $value) {
-            bdump($value);
-            $compared[$name] = $values[$i];
-            $i += 1;
-        }
-
-        return [
-            "compared" => $compared,
-            "refresh_time" => $ev_data["refresh_time"]
-        ];
-    }
-
-    /*
-    Updates counter for user
-    */
-    public function incrementEvent(string $event_type, User $initiator): bool
     {
+        /*
+        Updates counter for user
+        */
         $isEnabled = $this->config['enable'];
-        $eventsList = OPENVK_ROOT_CONF["openvk"]["preferences"]["security"]["rateLimits"]["eventsLimit"];
+        $eventsList = $this->config['list'];
 
         if (!$isEnabled) {
             return false;
         }
 
-        $ev_data = $initiator->recieveEventsData($eventsList);
+        $old_values[$event_type] += 1;
-        $values  = $ev_data['counters'];
-        $i = 0;
 
-        $compared = [];
+        $initiator->stateEvents($old_values);
-
+        $initiator->save();
-        foreach ($eventsList as $name => $value) {
-            $compared[$name] = $values[$i];
-            $i += 1;
-        }
-
-        $compared[$event_type] += 1;
-
-        bdump($compared);
-        $initiator->stateEvents($compared);
 
         return true;
     }

Web/routes.yml

@@ -413,6 +413,8 @@ routes:
       handler: "InternalAPI->getPhotosFromPost"
     - url: "/iapi/getPostTemplate/{num}_{num}"
       handler: "InternalAPI->getPostTemplate"
+    - url: "/image.php"
+      handler: "InternalAPI->imageFilter"
     - url: "/tour"
       handler: "About->tour"
     - url: "/fave"

openvk-example.yml

@@ -50,7 +50,7 @@ openvk:
                         groups.sub: 50
                         friends.outgoing_sub: 25
                         wall.post: 5000
-                        gifts.send: 20
+                        gifts.send: 30
         blacklists:
             limit: 100
             applyToAdmins: true
@@ -70,6 +70,9 @@ openvk:
             exposeOriginalURLs: true
         newsfeed:
             ignoredSourcesLimit: 50
+        notes:
+            disableHotlinking: true
+            allowedHosts: []
         wall:
             christian: false
             anonymousPosting: