fix privilege escalation vulnerability

2014-05-12 21:46:18 -07:00 · 2014-05-12 21:46:18 -07:00 · 57ed5e8055
commit 57ed5e8055
parent 94a1c0b085
5 changed files with 25 additions and 35 deletions
--- a/src/General/Settings.coffee
+++ b/src/General/Settings.coffee
@ -392,8 +392,7 @@ Settings =
  boardnav: ->
    Header.generateBoardList @value
  time: ->
-    funk = Time.createFunc @value
-    @nextElementSibling.textContent = funk Time, new Date()
+    @nextElementSibling.textContent = Time.format @value, new Date()
  backlink: ->
    @nextElementSibling.textContent = @value.replace /%id/, '123456789'
  fileInfo: ->
@ -407,8 +406,7 @@ Settings =
        dimensions: '1280x720'
        isImage: true
        isSpoiler: true
-    funk = FileInfo.createFunc @value
-    @nextElementSibling.innerHTML = funk FileInfo, data
+    @nextElementSibling.innerHTML = FileInfo.format @value, data
  favicon: ->
    Favicon.switch()
    Unread.update() if g.VIEW is 'thread' and Conf['Unread Favicon']
--- a/src/Images/Sauce.coffee
+++ b/src/Images/Sauce.coffee
@ -5,7 +5,7 @@ Sauce =
    links = []
    for link in Conf['sauces'].split '\n'
      try
-        links.push @createSauceLink link.trim() if link[0] isnt '#'
+        links.push link.trim() if link[0] isnt '#'
      catch err
        # Don't add random text plz.
    return unless links.length
@ -14,29 +14,27 @@ Sauce =
    Post.callbacks.push
      name: 'Sauce'
      cb:   @node
-  createSauceLink: (link) ->
+  createSauceLink: (link, post, a) ->
    link = link.replace /%(T?URL|MD5|board|name)/g, (parameter) ->
-      return (if type = {
-        '%TURL':  'post.file.thumbURL'
-        '%URL':   'post.file.URL'
-        '%MD5':   'post.file.MD5'
-        '%board': 'post.board'
-        '%name':  'post.file.name'
+      if type = {
+        '%TURL':  post.file.thumbURL
+        '%URL':   post.file.URL
+        '%MD5':   post.file.MD5
+        '%board': post.board
+        '%name':  post.file.name
      }[parameter]
-        "' + encodeURIComponent(#{type}) + '"
+        encodeURIComponent(type)
      else
-        parameter)
+        parameter
    text = if m = link.match(/;text:(.+)$/) then m[1] else link.match(/(\w+)\.\w+\//)[1]
    link = link.replace /;text:.+$/, ''
-    Function 'post', 'a', """
-      a.href = '#{link}';
-      a.textContent = '#{text}';
-      return a;
-    """
+    a.href = link
+    a.textContent = text
+    a
  node: ->
    return if @isClone or !@file
    nodes = []
    for link in Sauce.links
      # \u00A0 is nbsp
-      nodes.push $.tn('\u00A0'), link @, Sauce.link.cloneNode true
+      nodes.push $.tn('\u00A0'), (Sauce.createSauceLink link, @, Sauce.link.cloneNode true)
    $.add @file.text, nodes
--- a/src/Miscellaneous/FileInfo.coffee
+++ b/src/Miscellaneous/FileInfo.coffee
@ -2,20 +2,18 @@ FileInfo =
  init: ->
    return if g.VIEW is 'catalog' or !Conf['File Info Formatting']

-    @funk = @createFunc Conf['fileInfo']
    Post.callbacks.push
      name: 'File Info Formatting'
      cb:   @node
  node: ->
    return if !@file or @isClone
-    @file.text.innerHTML = "<span class=file-info>#{FileInfo.funk FileInfo, @}</span>"
-  createFunc: (format) ->
-    code = format.replace /%(.)/g, (s, c) ->
+    @file.text.innerHTML = "<span class=file-info>#{FileInfo.format Conf['fileInfo'], @}</span>"
+  format: (formatString, post) ->
+    formatString.replace /%([A-Za-z])/g, (s, c) ->
      if c of FileInfo.formatters
-        "' + FileInfo.formatters.#{c}.call(post) + '"
+        FileInfo.formatters[c].call(post)
      else
        s
-    Function 'FileInfo', 'post', "return '#{code}'"
  convertUnit: (size, unit) ->
    if unit is 'B'
      return "#{size.toFixed()} Bytes"
--- a/src/Miscellaneous/Time.coffee
+++ b/src/Miscellaneous/Time.coffee
@ -2,20 +2,18 @@ Time =
  init: ->
    return if g.VIEW is 'catalog' or !Conf['Time Formatting']

-    @funk = @createFunc Conf['time']
    Post.callbacks.push
      name: 'Time Formatting'
      cb:   @node
  node: ->
    return if @isClone
-    @nodes.date.textContent = Time.funk Time, @info.date
-  createFunc: (format) ->
-    code = format.replace /%([A-Za-z])/g, (s, c) ->
+    @nodes.date.textContent = Time.format Conf['time'], @info.date
+  format: (formatString, date) ->
+    formatString.replace /%([A-Za-z])/g, (s, c) ->
      if c of Time.formatters
-        "' + Time.formatters.#{c}.call(date) + '"
+        Time.formatters[c].call(date)
      else
        s
-    Function 'Time', 'date', "return '#{code}'"
  day: [
    'Sunday'
    'Monday'
--- a/src/Quotelinks/QuoteBacklink.coffee
+++ b/src/Quotelinks/QuoteBacklink.coffee
@ -14,8 +14,6 @@ QuoteBacklink =
  init: ->
    return if g.VIEW is 'catalog' or !Conf['Quote Backlinks']

-    format = Conf['backlink'].replace /%id/g, "' + id + '"
-    @funk  = Function 'id', "return '#{format}'"
    Post.callbacks.push
      name: 'Quote Backlinking Part 1'
      cb:   @firstNode
@ -28,7 +26,7 @@ QuoteBacklink =
    a = $.el 'a',
      href: "/#{@board}/thread/#{@thread}#p#{@}"
      className: if @isHidden then 'filtered backlink' else 'backlink'
-      textContent: (QuoteBacklink.funk @ID) + (if markYours then '\u00A0(You)' else '')
+      textContent: (Conf['backlink'].replace /%id/, @ID) + (if markYours then '\u00A0(You)' else '')
    for quote in @quotes
      containers = [QuoteBacklink.getContainer quote]
      if (post = g.posts[quote]) and post.nodes.backlinkContainer