From 06b63f49793a187512c1819e8918e3933d8ea213 Mon Sep 17 00:00:00 2001 From: marty hiatt Date: Sun, 18 Dec 2022 10:22:02 +1100 Subject: message auth URL when copying to kill ring --- lisp/mastodon-auth.el | 1 + 1 file changed, 1 insertion(+) diff --git a/lisp/mastodon-auth.el b/lisp/mastodon-auth.el index 263ece2..4c508a4 100644 --- a/lisp/mastodon-auth.el +++ b/lisp/mastodon-auth.el @@ -137,6 +137,7 @@ When ASK is absent return nil." (let ((url (mastodon-auth--get-browser-login-url)) authorization-code) (kill-new url) + (message url) (setq authorization-code (mastodon-auth--show-notice mastodon-auth--explanation "*mastodon-notice*" -- cgit v1.2.3 From e494fb8d507311de8452db3e6f111b1e32cc3c4d Mon Sep 17 00:00:00 2001 From: Bas Alberts Date: Thu, 22 Dec 2022 11:01:24 -0500 Subject: fix for custom emoji path traversal --- lisp/mastodon-toot.el | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index c87b3bb..06c49a3 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -610,13 +610,19 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (unless (file-directory-p mastodon-custom-emoji-dir) (make-directory mastodon-custom-emoji-dir nil)) ; no add parent (mapc (lambda (x) - (url-copy-file (alist-get 'url x) - (concat - mastodon-custom-emoji-dir - (alist-get 'shortcode x) - "." - (file-name-extension (alist-get 'url x))) - t)) + (let ((url (alist-get 'url x)) + (shortcode (alist-get 'shortcode x))) + ;; skip anything that contains unexpected characters + (when (and url shortcode + (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) + (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (url-copy-file url + (concat + mastodon-custom-emoji-dir + shortcode + "." + (file-name-extension url)) + t)))) custom-emoji) (message "Custom emoji for %s downloaded to %s" mastodon-instance-url -- cgit v1.2.3 From 0114d8a43161ed8bf90e988d9125af4ae6e61165 Mon Sep 17 00:00:00 2001 From: Bas Alberts Date: Thu, 22 Dec 2022 22:43:23 -0500 Subject: further harden custom emoji regex filtering Prevent empty string shortcodes from creating dotfiles inside the custom emoji download dir to prevent e.g. ".envrc" and other such contextual dotfiles from being created in the legitimate download location. --- lisp/mastodon-toot.el | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index 06c49a3..d1e8cbe 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -614,8 +614,8 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (shortcode (alist-get 'shortcode x))) ;; skip anything that contains unexpected characters (when (and url shortcode - (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) - (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (string-match-p "^[a-zA-Z0-9-_]+$" shortcode) + (string-match-p "^[a-zA-Z]+$" (file-name-extension url))) (url-copy-file url (concat mastodon-custom-emoji-dir -- cgit v1.2.3 From ffb83a2edb908a20b666ae42855f51217a7fb0c1 Mon Sep 17 00:00:00 2001 From: Troels Henriksen Date: Fri, 23 Dec 2022 16:23:19 +0100 Subject: Do not pass URL directly to message. This breaks if it contains any % characters. --- lisp/mastodon-auth.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/mastodon-auth.el b/lisp/mastodon-auth.el index 4c508a4..3de2901 100644 --- a/lisp/mastodon-auth.el +++ b/lisp/mastodon-auth.el @@ -137,7 +137,7 @@ When ASK is absent return nil." (let ((url (mastodon-auth--get-browser-login-url)) authorization-code) (kill-new url) - (message url) + (message "%s" url) (setq authorization-code (mastodon-auth--show-notice mastodon-auth--explanation "*mastodon-notice*" -- cgit v1.2.3