From 7a3943c447e82a3c6795e91fd2c2ec15cf207f55 Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Mon, 12 Oct 2020 22:27:23 +0000 Subject: [PATCH] patch messages length check for CRLF vs just LF, because browsers dont count CRLF as 2 characters like the server does (and like it technically is). this will happen for other fields too, but message is the only one that really matter close #269 --- controllers/forms/addnews.js | 4 ++-- controllers/forms/appeal.js | 4 ++-- controllers/forms/editpost.js | 2 +- controllers/forms/makepost.js | 14 +++++++------- helpers/paramconverter.js | 5 +++++ 5 files changed, 17 insertions(+), 12 deletions(-) diff --git a/controllers/forms/addnews.js b/controllers/forms/addnews.js index 56f751d6..6800c87a 100644 --- a/controllers/forms/addnews.js +++ b/controllers/forms/addnews.js @@ -7,10 +7,10 @@ module.exports = async (req, res, next) => { const errors = []; - if (!req.body.message || req.body.message.length === 0) { + if (!req.body.message || res.locals.messageLength === 0) { errors.push('Missing message'); } - if (req.body.message.length > 10000) { + if (res.locals.messageLength > 10000) { errors.push('Message must be 10000 characters or less'); } if (!req.body.title || req.body.title.length === 0) { diff --git a/controllers/forms/appeal.js b/controllers/forms/appeal.js index 00572439..80cb1187 100644 --- a/controllers/forms/appeal.js +++ b/controllers/forms/appeal.js @@ -11,10 +11,10 @@ module.exports = async (req, res, next) => { if (!req.body.checkedbans || req.body.checkedbans.length === 0 || req.body.checkedbans.length > 10) { errors.push('Must select 1-10 bans'); } - if (!req.body.message || req.body.message.length === 0) { + if (!req.body.message || res.locals.messageLength === 0) { errors.push('Appeals must include a message'); } - if (req.body.message.length > globalLimits.fieldLength.message) { + if (res.locals.messageLength > globalLimits.fieldLength.message) { errors.push('Appeal message must be 2000 characters or less'); } diff --git a/controllers/forms/editpost.js b/controllers/forms/editpost.js index 92e34f60..1a79fa8a 100644 --- a/controllers/forms/editpost.js +++ b/controllers/forms/editpost.js @@ -14,7 +14,7 @@ module.exports = async (req, res, next) => { errors.push('Missing board and postId form data'); } // message, subject, email, name, limited length - if (req.body.message && req.body.message.length > globalLimits.fieldLength.message) { + if (req.body.message && res.locals.messageLength > globalLimits.fieldLength.message) { errors.push(`Message must be ${globalLimits.fieldLength.message} characters or less`); } if (req.body.name && req.body.name.length > globalLimits.fieldLength.name) { diff --git a/controllers/forms/makepost.js b/controllers/forms/makepost.js index 912462a4..ba5e5fff 100644 --- a/controllers/forms/makepost.js +++ b/controllers/forms/makepost.js @@ -11,7 +11,7 @@ module.exports = async (req, res, next) => { const errors = []; // even if force file and message are off, the post must contain one of either. - if ((!req.body.message || req.body.message.length === 0) && res.locals.numFiles === 0) { + if ((!req.body.message || res.locals.messageLength === 0) && res.locals.numFiles === 0) { errors.push('Posts must include a message or file'); } if (res.locals.tor @@ -35,7 +35,7 @@ module.exports = async (req, res, next) => { errors.push('Posts must include a file'); } } - if (!req.body.message || req.body.message.length === 0) { + if (!req.body.message || res.locals.messageLength === 0) { if (!req.body.thread && res.locals.board.settings.forceThreadMessage) { errors.push('Threads must include a message'); } else if (req.body.therad && res.locals.board.settings.forceReplyMessage) { @@ -43,19 +43,19 @@ module.exports = async (req, res, next) => { } } if (req.body.message) { - if (req.body.message.length > globalLimits.fieldLength.message) { + if (res.locals.messageLength > globalLimits.fieldLength.message) { errors.push(`Message must be ${globalLimits.fieldLength.message} characters or less`); } else if (!req.body.thread && res.locals.board.settings.maxThreadMessageLength - && req.body.message.length > res.locals.board.settings.maxThreadMessageLength) { + && res.locals.messageLength > res.locals.board.settings.maxThreadMessageLength) { errors.push(`Thread messages must be ${res.locals.board.settings.maxThreadLength} characters or less`); } else if (req.body.thread && res.locals.board.settings.maxReplyMessageLength - && req.body.message.length > res.locals.board.settings.maxReplyMessageLength) { + && res.locals.messageLength > res.locals.board.settings.maxReplyMessageLength) { errors.push(`Reply messages must be ${res.locals.board.settings.maxReplyMessageLength} characters or less`); - } else if (!req.body.thread && req.body.message.length < res.locals.board.settings.minThreadMessageLength) { + } else if (!req.body.thread && res.locals.messageLength < res.locals.board.settings.minThreadMessageLength) { errors.push(`Thread messages must be at least ${res.locals.board.settings.minThreadMessageLength} characters long`); - } else if (req.body.thread && req.body.message.length < res.locals.board.settings.minReplyMessageLength) { + } else if (req.body.thread && res.locals.messageLength < res.locals.board.settings.minReplyMessageLength) { errors.push(`Reply messages must be at least ${res.locals.board.settings.minReplyMessageLength} characters long`); } } diff --git a/helpers/paramconverter.js b/helpers/paramconverter.js index 8a18b822..b7913cbb 100644 --- a/helpers/paramconverter.js +++ b/helpers/paramconverter.js @@ -39,6 +39,11 @@ module.exports = (req, res, next) => { } } + //proper length check for CRLF vs just LF, because browsers dont count CRLF as 2 characters like the server does (and like it technically is) + if (req.body.message) { + res.locals.messageLength = req.body.message.replace(/\r\n/igm, '\n').length; + } + for (let i = 0; i < numberFields.length; i++) { const field = numberFields[i]; if (req.body[field]) {