From ebf6a4bd8e97e434d1502ddead4690aca3dd6d33 Mon Sep 17 00:00:00 2001 From: default Date: Mon, 22 Apr 2024 05:46:56 +0200 Subject: [PATCH] URLs like {srv_baseurl}/{user}/admin/p/{md5} are valid. But only if {md5} is in the user's timeline. --- data.c | 14 +++++++++----- html.c | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/data.c b/data.c index 1e46395..2fb00eb 100644 --- a/data.c +++ b/data.c @@ -1065,14 +1065,18 @@ int timeline_touch(snac *snac) xs_str *timeline_fn_by_md5(snac *snac, const char *md5) /* get the filename of an entry by md5 from any timeline */ { - xs_str *fn = xs_fmt("%s/private/%s.json", snac->basedir, md5); + xs_str *fn = NULL; - if (mtime(fn) == 0.0) { - fn = xs_free(fn); - fn = xs_fmt("%s/public/%s.json", snac->basedir, md5); + if (xs_is_hex(md5) && strlen(md5) == 32) { + fn = xs_fmt("%s/private/%s.json", snac->basedir, md5); - if (mtime(fn) == 0.0) + if (mtime(fn) == 0.0) { fn = xs_free(fn); + fn = xs_fmt("%s/public/%s.json", snac->basedir, md5); + + if (mtime(fn) == 0.0) + fn = xs_free(fn); + } } return fn; diff --git a/html.c b/html.c index d52ef03..fdc0975 100644 --- a/html.c +++ b/html.c @@ -2586,6 +2586,25 @@ int html_get_handler(const xs_dict *req, const char *q_path, } } else + if (xs_startswith(p_path, "admin/p/")) { /** unique post by md5 **/ + if (!login(&snac, req)) { + *body = xs_dup(uid); + status = 401; + } + else { + xs *l = xs_split(p_path, "/"); + char *md5 = xs_list_get(l, -1); + + if (md5 && *md5 && timeline_here(&snac, md5)) { + xs *list = xs_list_append(xs_list_new(), md5); + + *body = html_timeline(&snac, list, 0, 0, 0, 0, NULL, "/admin", 1); + *b_size = strlen(*body); + status = 200; + } + } + } + else if (strcmp(p_path, "people") == 0) { /** the list of people **/ if (!login(&snac, req)) { *body = xs_dup(uid);