cyberpresidentvanellope/Bubberstation
1
0
Fork 0
mirror of https://github.com/Bubberstation/Bubberstation.git synced 2025-12-29 19:11:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa5136cad80dccdcd87581056c60b51a872b9d07
Bubberstation/code/modules/admin/verbs/request_internet_sound.dm
SkyratBot a297c06a0c [MIRROR] Fixed a vulnerability introduced by the Request Music PR [MDB IGNORE] (#21462) 
* Fixed a vulnerability introduced by the Request Music PR (#75691)

Admins can proccall the web_sound proc, completely bypassing the
shell_url_scrub done in other procs. Additionally, admins could just
directly modify the request URL stored in the request manager so that
it, again, bypasses the shell_url_scrub.

This PR just moves the shell scrubbing directly inside the proc, right
before the world.shelleo call, so that admins can't get around it with a
proccall.

* Fixed a vulnerability introduced by the Request Music PR

---------

Co-authored-by: Watermelon914 <37270891+Watermelon914@users.noreply.github.com>
2023-05-27 17:37:55 +00:00

39 lines
1.9 KiB
Plaintext
Raw Blame History

/mob/verb/request_internet_sound()
set category = "OOC"
set name = "Request Internet Sound"
if(GLOB.say_disabled) //This is here to try to identify lag problems
to_chat(usr, span_danger("Speech is currently admin-disabled."), confidential = TRUE)
return
if (!CONFIG_GET(flag/request_internet_sound))
to_chat(usr, span_danger("This server has disabled internet sound requests."), confidential = TRUE)
return
var/request_url = tgui_input_text(usr, "Please Input a URL", "Only certain sites are allowed, such as YouTube, SoundCloud, and Bandcamp.", "")
if(!request_url)
return
//regex filter
var/regex/allowed_regex = regex(replacetext(CONFIG_GET(string/request_internet_allowed), ",", "|"), "i")
if(!allowed_regex.Find(request_url))
to_chat(usr, span_danger("Invalid URL. Please use a URL from one of the following sites: [replacetext(CONFIG_GET(string/request_internet_allowed), "\\", "")]"), confidential = TRUE)
return
log_internet_request("[src.key]/([src.name]): [request_url]")
if(usr.client)
if(usr.client.prefs.muted & MUTE_INTERNET_REQUEST)
to_chat(usr, span_danger("You cannot request music at this time. (muted)."), confidential = TRUE)
return
if(src.client.handle_spam_prevention(request_url,MUTE_INTERNET_REQUEST))
return
GLOB.requests.music_request(usr.client, request_url)
to_chat(usr, span_info("You requested: \"[request_url]\" to be played."), confidential = TRUE)
request_url = span_adminnotice("<b><font color='cyan'>MUSIC REQUEST: </font>[ADMIN_FULLMONTY(src)] [ADMIN_SC(src)]:</b> [span_linkify(request_url)] [ADMIN_PLAY_INTERNET(request_url)]")
for(var/client/admin_client in GLOB.admins)
if(admin_client.prefs.chat_toggles & CHAT_PRAYER)
to_chat(admin_client, request_url, type = MESSAGE_TYPE_PRAYER, confidential = TRUE)
SSblackbox.record_feedback("tally", "music_request", 1, "Music Request") // If you are copy-pasting this, ensure the 4th parameter is unique to the new proc!
Reference in New Issue View Git Blame Copy Permalink