diff options
author | Saptak S <saptak013@gmail.com> | 2024-03-15 12:32:44 +0530 |
---|---|---|
committer | Saptak S <saptak013@gmail.com> | 2024-03-15 12:32:44 +0530 |
commit | f1cf52b166fb58d5cba62e45b861494b91723923 (patch) | |
tree | 692d55281e1992fbaa84b98d8a56b1e3396b7f3c | |
parent | 03f89bfaa7d9c88eced8e071105e347aa9077568 (diff) | |
parent | 2ef15395d4a01ec56867c9a3dd60161a193f9380 (diff) | |
download | onionshare-f1cf52b166fb58d5cba62e45b861494b91723923.tar.gz onionshare-f1cf52b166fb58d5cba62e45b861494b91723923.zip |
Merge branch 'main' of github.com:onionshare/onionshare-ghsa-9mxm-qp84-xgx6 into release-2.6.2
-rw-r--r-- | cli/onionshare_cli/web/chat_mode.py | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/cli/onionshare_cli/web/chat_mode.py b/cli/onionshare_cli/web/chat_mode.py index 5a11eedd..02466e2b 100644 --- a/cli/onionshare_cli/web/chat_mode.py +++ b/cli/onionshare_cli/web/chat_mode.py @@ -17,6 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. """ +import unicodedata from flask import request, render_template, make_response, jsonify, session from flask_socketio import emit, ConnectionRefusedError @@ -47,11 +48,37 @@ class ChatModeWeb: self.define_routes() + def remove_unallowed_characters(self, text): + """ + Sanitize username to remove unwanted characters. + Allowed characters right now are: + - all ASCII numbers + - all ASCII letters + - dash, underscore and single space + """ + + def allowed_character(ch): + allowed_unicode_categories = [ + 'L', # All letters + 'N', # All numbers + ] + allowed_special_characters = [ + '-', # dash + '_', # underscore + ' ', # single space + ] + return ( + unicodedata.category(ch)[0] in allowed_unicode_categories and ord(ch) < 128 + ) or ch in allowed_special_characters + + return "".join( + ch for ch in text if allowed_character(ch) + ) + def validate_username(self, username): - username = username.strip() + username = self.remove_unallowed_characters(username.strip()) return ( username - and username.isascii() and username not in self.connected_users and len(username) < 128 ) |