From d4829273c5c04f0696a3e7703d8a431e3b851872 Mon Sep 17 00:00:00 2001
From: Terrtia <or1994@hotmail.fr>
Date: Mon, 31 May 2021 15:31:41 +0200
Subject: [PATCH] fix: [paste_submit] restrict source characters

---
 .../modules/PasteSubmit/Flask_PasteSubmit.py    | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
index 6b4a002e..c6816346 100644
--- a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
+++ b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
@@ -7,6 +7,7 @@
 ##################################
 # Import External packages
 ##################################
+import re
 import os
 import sys
 import json
@@ -278,12 +279,18 @@ def submit():
     paste_content = request.form['paste_content']
     paste_source = request.form['paste_source']
 
+    if paste_source:
     # limit source length
-    paste_source = paste_source.replace('/', '')[:80]
-    if paste_source in ['crawled', 'tests']:
-        content = f'Invalid source'
-        logger.info(paste_source)
-        return content, 400
+        paste_source = paste_source.replace('/', '')[:80]
+        if paste_source in ['crawled', 'tests']:
+            content = f'Invalid source'
+            logger.info(paste_source)
+            return content, 400
+
+        if not re.match('^[0-9a-zA-Z-_\+@#&\.;=:!]*$', paste_source):
+            content = f'Invalid source name: Forbidden character(s)'
+            logger.info(content)
+            return content, 400
 
     is_file = False
     if 'file' in request.files: