Move sql files into their own directory

Moved all the of the sql out of the init file and into it's own
directory.
This commit is contained in:
Robin Malley 2020-05-17 12:05:00 -04:00
parent 48b4173a7a
commit 6c18829de6
41 changed files with 583 additions and 443 deletions

View File

@ -1 +1,68 @@
The slash.monster server code
# Config
chroot_dir=kore_chroot/
mirror=http://dl-cdn.alpinelinux.org/alpine/
arch=aarch64
version=2.10.5-r0
#certbot_email=--register-unsafely-without-email
certbot_email=-m you@cock.li
domain=test.monster
#Probably don't change stuff past here
lua_files=$(shell find src/lua -type f)
src_files=$(shell find src -type f) $(shell find conf -type f)
sql_files=$(shell find src/sql -type f)
built_files=$(lua_files:src/lua/%.lua=$(chroot_dir)%.lua)
page_files=$(shell find src/pages -type f)
built_pages=$(page_files:src/pages/%.etlua=$(chroot_dir)pages/%.etlua)
built_sql=$(sql_files:src/sql/%.sql=$(chroot_dir)sql/%.sql)
all: $(chroot_dir) smr.so $(built_files) $(built_pages) $(built_sql)
echo $(built_files)
kodev run
apk-tools-static-$(version).apk: Makefile
wget -q $(mirror)latest-stable/main/$(arch)/apk-tools-static-$(version).apk
clean:
kodev clean
$(chroot_dir): #apk-tools-static-$(version).apk
mkdir -p $(chroot_dir)
mkdir -p $(chroot_dir)/pages
mkdir -p $(chroot_dir)/sql
#cd $(chroot_dir) && tar -xvzf ../../apk-tools-static-*.apk
#cd $(chroot_dir) && sudo ./sbin/apk.static -X $(mirror)latest-stable/main -U --allow-untrusted --root $(chroot_dir) --no-cache --initdb add alpine-base
#ln -s /dev/urandom $(chroot_dir)/dev/random #Prevent an attacker with access to the chroot from exhausting our entropy pool and causing a dos
#ln -s /dev/urandom $(chroot_dir)/dev/urandom
#mount /dev/ $(chroot_dir)/dev --bind
#mount -o remount,ro,bind $(chroot_dir)/dev
#mount -t proc none $(chroot_dir)/proc
#mount -o bind /sys $(chroot_dir)/sys
#cp /etc/resolv.conf $(chroot_dir)/etc/resolv.conf
#cp /etc/apk/repositories $(chroot_dir)/etc/apk/repositories
#mkdir $(chroot_dir)/var/sm
## Things to build lua libraries
#chroot $(chroot_dir) apk add luarocks5.1 sqlite sqlite-dev lua5.1-dev build-base zlib zlib-dev
#chroot $(chroot_dir) luarocks-5.1 install etlua
#chroot $(chroot_dir) luarocks-5.1 install lsqlite3
#chroot $(chroot_dir) luarocks-5.1 install lzlib ZLIB_LIBDIR=/lib #for some reason lzlib looks in /usr/lib for libz, when it needs to look at /lib
## Once we've built + installed everything, delete extra stuff from the chroot
#chroot $(chroot_dir) apk del sqlite-dev lua5.1-dev build-base zlib-dev
## SSL certificates, if you don't trust EFF (they have an antifa black block member as their favicon at time of writing) you may want to replace this.
#chroot $(chroot_dir) apk add certbot
## After chroot, apk add luarocks5.1 sqlite sqlite-dev lua5.1-dev build-base
## After chroot, luarocks install etlua; luarocks install lsqlite3
code : $(built_files)
$(built_files): $(chroot_dir)%.lua : src/lua/%.lua
cp $^ $@
$(built_pages): $(chroot_dir)pages/%.etlua : src/pages/%.etlua
cp $^ $@
$(built_sql): $(chroot_dir)sql/%.sql : src/sql/%.sql
cp $^ $@
smr.so : $(src_files)
kodev build

View File

@ -26,8 +26,8 @@ dev {
# These flags are added to the shared ones when
# you build the "dev" flavor.
ldflags=-llua
cflags=-g
cxxflags=-g
cflags=-g -Wextra
cxxflags=-g -Wextra
}
prod {

View File

@ -28,8 +28,7 @@ domain * {
certkey key.pem
#I run kore behind a lighttpd reverse proxy, so this is a bit useless to me
#accesslog /dev/null
accesslog kore_access.log
accesslog /dev/null
route / home
route /_css/style.css asset_serve_style_css

View File

@ -1,4 +1,11 @@
typedef unsigned char u8;
typedef unsigned long long int u64;
typedef unsigned int ui;
void FIPS202_SHAKE128(const u8 *in, u64 inLen, u8 *out, u64 outLen);
void FIPS202_SHAKE256(const u8 *in, u64 inLen, u8 *out, u64 outLen);
void FIPS202_SHA3_224(const u8 *in, u64 inLen, u8 *out);
void FIPS202_SHA3_256(const u8 *in, u64 inLen, u8 *out);
void FIPS202_SHA3_384(const u8 *in, u64 inLen, u8 *out);
void FIPS202_SHA3_512(const u8 *in, u64 inLen, u8 *out);
int LFSR86540(u8 *R);
void KeccakF1600(void *s);

View File

@ -16,13 +16,13 @@ sha3(data::string)::string
int
lsha3(lua_State *L){
size_t len;
char out[64];
const char *data = luaL_checklstring(L,-1,&len);
unsigned char out[64];
const unsigned char *data = (const unsigned char*)luaL_checklstring(L,-1,&len);
lua_pop(L,1);
printf("All data gotten, about to hash\n");
FIPS202_SHA3_512(data, len, out);
printf("Finished hashing\n");
lua_pushlstring(L,out,64);
lua_pushlstring(L,(char*)out,64);
printf("Finished pushing string to lua\n");
return 1;
}
@ -41,7 +41,7 @@ lsxor(lua_State *L){
const char *shorter = la > lb ? b : a;
const char *longer = la > lb ? a : b;
char out[outsize];
int i;
size_t i;
for(i = 0; i < loopsize; i++)
out[i] = shorter[i] ^ longer[i];
for(;i < outsize; i++)

View File

@ -170,9 +170,6 @@ lhttp_request_get_ip(lua_State *L){
struct http_request *req = luaL_checkrequest(L,-1);
lua_pop(L,1);
char addr[INET6_ADDRSTRLEN];
printf("AF_INET:%d\n",AF_INET);
printf("AF_INET6:%d\n",AF_INET6);
printf("AF_UNIX:%d\n",AF_UNIX);
switch(req->owner->family){
case AF_INET:
inet_ntop(
@ -242,7 +239,6 @@ lhttp_file_get(lua_State *L){
lua_concat(L,2);
lua_error(L);
}
printf("file length: %d\n", f->length);
char s[f->length + 1];
size_t read = http_file_read(f,s,f->length);
if(read < f->length){

View File

@ -5,6 +5,7 @@ int lhttp_method_text(lua_State *L);
int lhttp_request_get_path(lua_State *L);
int lhttp_request_get_host(lua_State *L);
int lhttp_request_populate_post(lua_State *L);
int lhttp_request_populate_qs(lua_State *L);
int lhttp_response_cookie(lua_State *L);
int lhttp_request_cookie(lua_State *L);
int lhttp_argument_get_string(lua_State *L);

View File

@ -1,34 +1,53 @@
print("very quick hello from init.lua")
local et = require("etlua")
local sql = require("lsqlite3")
local zlib = require("zlib")
--local function print() end --squash prints
print("Hello from init.lua")
local function print() end --squash prints
local parser_names = {"plain","imageboard"}
local parsers = {}
for _,v in pairs(parser_names) do
parsers[v] = require("parser_" .. v)
end
local db,cache
local domain = "test.monster:8888"
local db,cache --databases
local domain = "test.monster:8888" --The domain to write links as
local pagenames = {
"index",
"author_index",
"claim",
"paste",
"edit",
"read",
"nostory",
"cantedit",
"noauthor",
"login",
"author_paste",
"author_edit",
}
local pages = {}
for k,v in pairs(pagenames) do
print("Compiling page:",v)
local f = assert(io.open("pages/" .. v .. ".etlua","r"))
pages[v] = assert(et.compile(f:read("*a")))
f:close()
end
local queries = {}
--These are all loaded during startup, won't affect ongoing performance.
setmetatable(queries,{
__index = function(self,key)
local f = assert(io.open("sql/" .. key .. ".sql","r"))
local ret = f:read("*a")
f:close()
return ret
end
})
---sql queries
local stmnt_index, stmnt_author_index, stmnt_read, stmnt_paste, stmnt_raw
local stmnt_author_create, stmnt_author_acct, stmnt_author_bio
local stmnt_cache, stmnt_insert_cache, stmnt_dirty_cache
local stmnt_get_session, stmnt_insert_session
local stmnt_edit
local stmnt_edit, stmnt_update, stmnt_update_raw, stmnt_author_of
--see https://perishablepress.com/stop-using-unsafe-characters-in-urls/
--no underscore because we use that for our operative pages
local url_characters =
@ -62,55 +81,18 @@ print("Hello from init.lua")
function configure()
db = sqlassert(sql.open("data/posts.db"))
cache = sqlassert(sql.open_memory())
for k,v in pairs(pagenames) do
print("Compiling page:",v)
local f = assert(io.open("pages/" .. v .. ".etlua","r"))
pages[v] = assert(et.compile(f:read("*a")))
f:close()
end
print("Compiled pages...")
local msg = "test message"
local one = zlib.compress(msg)
local two = zlib.decompress(one)
--For some reason, the zlib library fails if this is done as a oneliner
assert(two == msg, "zlib not working as expected")
print("zlib seems to work...")
assert(db:exec([[
CREATE TABLE IF NOT EXISTS authors (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
name TEXT UNIQUE ON CONFLICT FAIL,
salt BLOB,
passhash BLOB,
joindate INTEGER,
biography TEXT
);
]]))
--Create sql tables
assert(db:exec(queries.create_table_authors))
--Create a fake "anonymous" user, so we don't run into trouble
--so that no one runs into touble being able to paste under this account.
assert(db:exec([[
INSERT OR IGNORE INTO authors (
name,
salt,
passhash,
joindate,
biography
) VALUES (
'anonymous',
'',
'',
strftime('%s','1970-01-01 00:00:00'),
''
);
]]))
assert(db:exec([[
REPLACE INTO authors (name,salt,passhash,joindate,biography) VALUES (
'anonymous',
'',
'',
strftime('%s','1970-01-01 00:00:00'),
'',
);
]]))
assert(db:exec(queries.insert_anon_author))
--If/when an author delets their account, all posts
--and comments by that author are also deleted (on
--delete cascade) this is intentional. This also
@ -118,62 +100,22 @@ function configure()
--an author makes will also be deleted.
--
--Post text uses zlib compression
assert(db:exec([[
CREATE TABLE IF NOT EXISTS posts (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
post_text BLOB,
post_title TEXT,
authorid REFERENCES authors(id) ON DELETE CASCADE,
isanon INTEGER,
hashedip BLOB,
post_time INTEGER
);
]]))
assert(db:exec(queries.create_table_posts))
--Store the raw text so people can download it later, maybe
--we can use it for "download as image" or "download as pdf"
--in the future too. Stil stored zlib compressed
assert(db:exec([[
CREATE TABLE IF NOT EXISTS raw_text (
id INTEGER PRIMARY KEY REFERENCES posts(id) ON DELETE CASCADE,
post_text BLOB,
markup TEXT
);]]))
assert(db:exec([[
CREATE TABLE IF NOT EXISTS images (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
name TEXT,
image BLOB,
authorid REFERENCES authors(id) ON DELETE CASCADE,
upload_time INTEGER,
hashedip BLOB
);
]]))
assert(db:exec([[
CREATE TABLE IF NOT EXISTS comments (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
postid REFERENCES posts(id) ON DELETE CASCADE,
author REFERENCES authors(id) ON DELETE CASCADE,
isanon INTEGER,
comment_text TEXT,
hashedip BLOB,
post_time INTEGER
);
]]))
assert(db:exec([[
CREATE TABLE IF NOT EXISTS tags (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
postid REFERENCES posts(id) ON DELETE CASCADE,
tag TEXT
);
]]))
assert(db:exec([[
CREATE TABLE IF NOT EXISTS sessions (
key TEXT PRIMARY KEY,
author REFERENCES authors(id) ON DELETE CASCADE,
start INTEGER
);
]]))
assert(db:exec(queries.create_table_raw_text))
assert(db:exec(queries.create_table_images)) --TODO
assert(db:exec(queries.create_table_comments)) --TODO
assert(db:exec(queries.create_table_tags)) --TODO
--Store a cookie for logged in users. Logged in users can edit
--their own posts.
assert(db:exec(queries.create_table_session))
print("Created db tables")
--A cache table to store rendered pages that do not need to be
--rerendered. In theory this could OOM the program eventually and start
--swapping to disk. TODO: fixme
assert(cache:exec([[
CREATE TABLE IF NOT EXISTS cache (
path TEXT PRIMARY KEY,
@ -182,138 +124,46 @@ function configure()
dirty INTEGER
);
]]))
stmnt_index = assert(db:prepare([[
SELECT
posts.id,
posts.post_title,
posts.isanon,
posts.post_time,
authors.name
FROM
posts,
authors
WHERE
posts.authorid = authors.id
UNION
SELECT
posts.id,
posts.post_title,
posts.isanon,
posts.post_time,
'Anonymous'
FROM
posts
WHERE
posts.authorid = -1
ORDER BY
posts.post_time DESC
LIMIT 10;
]]))
stmnt_read = assert(db:prepare([[
SELECT
post_title,
post_text,
posts.authorid,
posts.isanon,
authors.name
FROM
posts,authors
WHERE
posts.authorid = authors.id AND
posts.id = :id;
]]))
--Select the data we need to display the on the front page
stmnt_index = assert(db:prepare(queries.select_site_index))
--Select the data we need to read a story (and maybe display an edit
--button
stmnt_read = assert(db:prepare(queries.select_post))
--TODO: actually let authors edit their bio
stmnt_author_bio = assert(db:prepare([[
SELECT authors.biography FROM authors WHERE authors.name = :author;
]]))
stmnt_author = assert(db:prepare([[
SELECT
posts.id,
posts.post_title,
posts.post_time
FROM
posts,
authors
WHERE
posts.isanon = 0 AND
posts.authorid = authors.id AND
authors.name = :author
ORDER BY
posts.post_time DESC
LIMIT 10;
]]))
--Get the author of a story, used to check when editing that the
--author really owns the story they're trying to edit
stmnt_author_of = assert(db:prepare(queries.select_author_of_post))
--Get the data we need to display a particular author's latest
--stories
stmnt_author = assert(db:prepare(queries.select_author_index))
--Get the data we need to check if someone can log in
stmnt_author_acct = assert(db:prepare([[
SELECT id, salt, passhash FROM authors WHERE name = :name;
]]))
stmnt_author_create = assert(db:prepare([[
INSERT OR FAIL INTO authors (
name,
salt,
passhash,
joindate,
biography
) VALUES (
:name,
:salt,
:hash,
strftime('%s','now'),
''
);
]]))
--Create a new author on the site
stmnt_author_create = assert(db:prepare(queries.insert_author))
stmnt_author_login = assert(db:prepare([[
SELECT name, passhash FROM authors WHERE name = :name;
]]))
stmnt_paste = assert(db:prepare([[
INSERT INTO posts (
post_text,
post_title,
authorid,
isanon,
hashedip,
post_time
) VALUES (
?,
?,
?,
?,
?,
strftime('%s','now')
);
]]))
stmnt_raw = assert(db:prepare([[
INSERT INTO raw_text (
id, post_text, markup
) VALUES (
?, ?, ?
);
]]))
stmnt_edit = assert(db:prepare([[
SELECT
raw_text.post_text, raw_text.markup, posts.isanon
FROM
raw_text, posts
WHERE
raw_text.id = posts.id AND
raw_text.id = :postid;
]]))
stmnt_insert_session = assert(db:prepare([[
INSERT INTO sessions (
key,
author,
start
) VALUES (
:sessionid,
:authorid,
strftime('%s','now')
);
]]))
stmnt_get_session = assert(db:prepare([[
SELECT authors.name, authors.id
FROM authors, sessions
WHERE
sessions.key = :key AND
sessions.author = authors.id AND
sessions.start - strftime('%s','now') < 60*60*24;
]]))
--Create a new post
stmnt_paste = assert(db:prepare(queries.insert_post))
--Keep a copy of the plain text of a post so we can edit it later
--It might also be useful for migrations, if that ever needs to happen
stmnt_raw = assert(db:prepare(queries.insert_raw))
--Get the data we need to display the edit screen
stmnt_edit = assert(db:prepare(queries.select_edit))
--When we update a post, store the plaintext again
stmnt_update_raw = assert(db:prepare(queries.update_raw))
--Should we really reset the update time every time someone makes a post?
--Someone could keep their story on the front page by just editing it a lot.
--If it gets abused I can disable it I guess.
stmnt_update = assert(db:prepare(queries.update_post))
stmnt_insert_session = assert(db:prepare(queries.insert_session))
stmnt_get_session = assert(db:prepare(queries.select_valid_sessions))
--only refresh pages at most once every 10 seconds
stmnt_cache = cache:prepare([[
SELECT data
@ -408,6 +258,7 @@ local function start_session(who)
authorid = who
}
local err = do_sql(stmnt_insert_session)
stmnt_insert_session:reset()
print("Err:",err)
assert(err == sql.DONE)
return session
@ -470,10 +321,6 @@ local function render(pagename,callback)
return text
end
local function author_page(name)
end
function home(req)
print("Hello from lua!")
print("Method:", http_method_text(req))
@ -482,17 +329,15 @@ function home(req)
local path = http_request_get_path(req)
local text
if host == domain then
--Default home page
text = render(host..path,function()
print("Cache miss, rendering index")
stmnt_index:bind_names{}
local err = do_sql(stmnt_index)
print("err:",err)
local latest = {}
--err may be sql.ROW or sql.DONE if we don't have any stories yet
while err == sql.ROW do
local data = stmnt_index:get_values()
for k,v in pairs(data) do
print(k,":",v)
end
table.insert(latest,{
url = encode_id(data[1]),
title = data[2],
@ -503,23 +348,15 @@ function home(req)
err = stmnt_index:step()
end
stmnt_index:reset()
--[[
local latest = stmnt_index:get_values()
print("latest:",latest)
for k,v in pairs(latest) do
print(k,":",v)
end
]]
print("returning...\n")
return pages.index{
domain = domain,
stories = latest
}
end)
else
print("Author login")
--Home page for an author
local subdomain = host:match("([^\\.]+)")
text = render(host..path,function()
text = render(string.format("%s.%s",subdomain,domain),function()
print("Cache miss, rendering author:" .. subdomain)
stmnt_author_bio:bind_names{author=subdomain}
local err = do_sql(stmnt_author_bio)
@ -540,16 +377,13 @@ function home(req)
err = do_sql(stmnt_author)
print("err:",err)
local stories = {}
while err ~= sql.DONE do
while err == sql.ROW do
local data = stmnt_author:get_values()
print("Added story:",data)
for k,v in pairs(data) do
print(k,":",v)
end
local id, title, time = unpack(data)
table.insert(stories,{
url = encode_id(data[1]),
title = data[2],
posted = os.date("%B %d %Y",tonumber(data[3]))
url = encode_id(id),
title = title,
posted = os.date("%B %d %Y",tonumber(time))
})
err = stmnt_author:step()
end
@ -562,20 +396,14 @@ function home(req)
}
end)
end
print("Host:",http_request_get_host(req))
print("Path:",http_request_get_path(req))
print("subdomain:",subdomain)
print("index:",pages.index)
--local text = pages.index({domain = domain})
print("returning:",text)
assert(text)
http_response(req,200,text)
end
--We prevent people from changing their password file, this way we don't really
--need to worry about logged in accounts being hijacked if someone gets at the
--database. The attacker can still paste from the logged in account for a while,
--but whatever.
--database. The attacker can still paste & edit from the logged in account for
--a while, but whatever.
function claim(req)
local method = http_method_text(req)
local host = http_request_get_host(req)
@ -587,14 +415,14 @@ function claim(req)
end
assert(host == domain)
local text
print("method:",method)
if method == "GET" then
print("render is:",render)
--Get the page to claim a name
text = render(host..path,function()
print("cache miss, rendering claim page")
return pages.claim{}
end)
elseif method == "POST" then
--Actually claim a name
http_request_populate_post(req)
local name = assert(http_argument_get_string(req,"user"))
local rngf = assert(io.open("/dev/urandom","rb"))
@ -602,39 +430,30 @@ function claim(req)
local salt = rngf:read(64)
local password = rngf:read(passlength)
rngf:close()
print("Starting session:",session)
print("About to xor")
print("About to hash")
local hash = sha3(salt .. password)
print("done hashing")
stmnt_author_create:bind_names{
name = name,
}
stmnt_author_create:bind_blob(2,salt)
stmnt_author_create:bind_blob(3,hash)
print("Everything bound, ready to go")
local err = do_sql(stmnt_author_create)
print("Error:",err)
print("DONE",sql.DONE)
print("ERROR",sql.ERROR)
print("MISUSE",sql.MISUSE)
print("ROW",sql.ROW)
if err == sql.DONE then
print("New author:",name)
--We sucessfully made athe new author
local id = stmnt_author_create:last_insert_rowid()
print("ID:",id)
stmnt_author_create:reset()
--Give them a file back
http_response_header(req,"Content-Type","application/octet-stream")
http_response_header(req,"Content-Disposition","attachment; filename=\"" .. domain .. "." .. name .. ".passfile\"")
http_response_header(req,"Content-Disposition","attachment; filename=\"" .. name .. "." .. domain .. ".passfile\"")
local session = start_session(id)
http_response_cookie(req,"session",session,"/",0,0)
text = password
elseif err == sql.CONSTRAINT then
--If the creation failed, they probably just tried
--to use a name that was already taken
text = pages.claim {
err = "Failed to claim. That name may already be taken."
}
elseif err == sql.ERROR or err == sql.MISUSE then
--This is bad though
text = pages.claim {
err = "Failed to claim"
}
@ -652,7 +471,9 @@ function paste(req)
local err
local ret
if method == "GET" then
--Get the paste page
if host == domain then
--For an anonymous user
ret = render(host..path,function()
print("Cache missing, rendering post page")
return pages.paste{
@ -660,9 +481,14 @@ function paste(req)
}
end)
else
--Or for someone that's logged in
print("Looks like a logged in user wants to paste!")
local subdomain = host:match("([^\\.]+)")
local author,_ = get_session(req)
--If they try to paste as an author, but are on the
--wrong subdomain, or or not logged in, redirect them
--to the right place. Their own subdomain for authors
--or the anonymous paste page for not logged in users.
if author == nil then
print("sessionid was nil")
http_response_header(req,"Location","https://"..domain.."/_paste")
@ -675,6 +501,9 @@ function paste(req)
return
end
assert(author == subdomain,"someone wants to paste as someone else")
--We're where we want to be, serve up this users's
--paste page. No cache, because how often is a user
--going to paste?
ret = pages.author_paste{
domain = domain,
user = author,
@ -682,45 +511,40 @@ function paste(req)
}
end
elseif method == "POST" then
--We're creatinga new paste
http_request_populate_post(req)
local title = assert(http_argument_get_string(req,"title"))
local text = assert(http_argument_get_string(req,"text"))
local markup = assert(http_argument_get_string(req,"markup"))
local pasteas
local raw = zlib.compress(text)
print("text1",text)
--text = string.gsub(text,"(%+)"," ")
print("text2",text)
text = string.gsub(text,"%%(%x%x)",decodeentities)
print("After decode:\n",text)
text = parsers[markup](text)
print("After markup:",text)
--text = string.gsub(text,escapematch,sanitize)
text = zlib.compress(text)
print("After deflate:",text)
print("inflating this data, we would get", zlib.decompress(text))
local esctitle = string.gsub(title,"%%(%x%x)",decodeentities)
--Always sanatize the title with the plain parser. no markup
--in the title.
esctitle = parsers.plain(title)
print("title:",esctitle)
--TODO:paste to author page
if host == domain then
print("got text:",text)
--Public paste
--[[
This doesn't actually do much for IPv4 addresses,
since there are only 32 bits of address, someone could
since there are only 32 bits of address. Someone who
got a copy of the database could
just generate all 2^32 hashes and look up who posted
what. Use IPv6, Tor or I2P where possible. (but then I
guess it's harder to ban spammers... hmm..)
]]
--local ip = http_request_get_ip(req)
--local iphash = sha3(ip)
--Don't store this information for now, until I come up
--with a more elegent solution.
assert(stmnt_paste:bind_blob(1,text) == sql.OK)
assert(stmnt_paste:bind(2,esctitle) == sql.OK)
assert(stmnt_paste:bind(3,-1) == sql.OK)
assert(stmnt_paste:bind(4,true) == sql.OK)
assert(stmnt_paste:bind_blob(5,"") == sql.OK)
err = do_sql(stmnt_paste)
print("err:",err)
if err == sql.DONE then
local rowid = stmnt_paste:last_insert_rowid()
assert(stmnt_raw:bind(1,rowid) == sql.OK)
@ -747,29 +571,7 @@ function paste(req)
stmnt_paste:reset()
else
--local subdomain = host:match("([^\\.]+)")
--http_populate_cookies(req)
--local sessionid = http_request_cookie(req,"session")
--if sessionid == nil then --If someone not logged in tries to paste as someone else, send give them an error
--ret = pages.author_paste{
--domain = domain,
--author = subdomain,
--err = "You are not logged in, you must be logged in to post as " .. subdomain .. ".",
--text = text
--}
--end
--print("Got cookie:",sessionid)
--stmnt_get_session:bind_names{
--key = sessionid
--}
--err = do_sql(stmnt_get_session)
--print("err:",err)
--local data = stmnt_get_session:get_values()
--stmnt_get_session:reset()
--print("got data:",data)
--for k,v in pairs(data) do
--print(k,":",v)
--end
--Author paste
local author, authorid = get_session(req)
if author == nil then
ret = pages.author_paste{
@ -779,13 +581,10 @@ function paste(req)
text = text
}
end
--local author = data[1]
--local authorid = data[2]
local asanon = assert(http_argument_get_string(req,"pasteas"))
--No need to check if the author is posting to the
--right sudomain, just post it to the one they have
--the key for.
--"right" sudomain, just post it to the one they have
--the session key for.
assert(stmnt_paste:bind_blob(1,text) == sql.OK)
assert(stmnt_paste:bind(2,esctitle) == sql.OK)
assert(stmnt_paste:bind(3,authorid) == sql.OK)
@ -831,24 +630,54 @@ function paste(req)
http_response(req,200,ret)
end
--A helper function for below
local function read_story(host,path,idp)
return render(host..path,function()
print("Trying to read, id is",idp,":",decode_id(idp))
local id = decode_id(idp)
print("id:",id,type(id))
stmnt_read:bind_names{
id = id
}
local err = do_sql(stmnt_read)
if err == sql.DONE then
stmnt_read:reset()
return pages.nostory{
path = path
}
end
assert(err == sql.ROW,"Could not get row:" .. tostring(id) .. " Error:" .. tostring(err))
local title, text, authorid, isanon, authorname = unpack(stmnt_read:get_values())
text = zlib.decompress(text)
stmnt_read:reset()
return pages.read{
domain = domain,
title = title,
text = text,
idp = idp,
isanon = isanon == 1,
author = authorname
}
end)
end
function read(req)
local host = http_request_get_host(req)
local path = http_request_get_path(req)
print("host:",host)
print("path:",path)
local idp = string.sub(path,2)--remove leading "/"
assert(string.len(path) > 0,"Tried to read 0-length story id")
local author, authorid = get_session(req)
print("author is:",author)
local text
if author then
--We're logged in as someone
local id = decode_id(idp)
stmnt_read:bind_names{
id = id
}
local err = do_sql(stmnt_read)
print("err:",err)
if err == sql.DONE then
--We got no story
stmnt_read:reset()
return pages.nostory{
path = path
@ -856,14 +685,15 @@ function read(req)
end
assert(err == sql.ROW)
local title, storytext, tauthor, isanon, authorname = unpack(stmnt_read:get_values())
storytext = zlib.decompress(storytext)
stmnt_read:reset()
if tauthor == authorid then
print("We're the owner of this story!")
local uncompressed = zlib.decompress(storytext)
--The story exists and we're logged in as the
--owner, display the edit button
text = pages.read{
domain = domain,
title = title,
text = text,
text = storytext,
idp = idp,
isanon = isanon == 1,
author = authorname,
@ -871,88 +701,46 @@ function read(req)
}
else
print("We're logged in, but not the owner of this story!")
text = read_story(host,path,idp)
end
else
text = render(host..path,function()
print("Trying to read, id is",idp,":",decode_id(idp))
local id = decode_id(idp)
print("id:",id,type(id))
stmnt_read:bind_names{
id = id
}
local err = do_sql(stmnt_read)
print("err:",err)
if err == sql.ROW then
elseif err == sql.DONE then
stmnt_read:reset()
return pages.nostory{
path = path
}
end
assert(err == sql.ROW,"Could not get row:" .. tostring(id) .. " Error:" .. tostring(err))
print("get_values:")
local title, text, authorid, isanon, authorname = unpack(stmnt_read:get_values())
print("Got text from unpack:",text)
text = zlib.decompress(text)
print("inflated text:",text)
print("title:",title)
print("text:",text)
print("idp:",idp)
stmnt_read:reset()
return pages.read{
domain = domain,
title = title,
text = text,
idp = idp,
isanon = isanon == 1,
author = authorname
}
end)
text = read_story(host,path,idp)
end
assert(text)
http_response(req,200,text)
end
function login(req)
print("Logging in")
local host = http_request_get_host(req)
local path = http_request_get_path(req)
local method = http_method_text(req)
if host ~= domain then
--Don't allow logging into subdomains, I guess
http_response_header(req,"Location",string.format("https://%s/_login",domain))
http_response(req,303,"")
return
end
local text
if method == "GET" then
--Just give them the login page
text = render(host..path,function()
return pages.login{}
end)
elseif method == "POST" then
--http_request_populate_post(req)
--Try to log in
http_populate_multipart_form(req)
local name = assert(http_argument_get_string(req,"user"))
local pass = assert(http_file_get(req,"pass"))
print("name:",name)
print("pass:",pass)
stmnt_author_acct:bind_names{
name = name
}
local err = do_sql(stmnt_author_acct)
print("err:",err)
if err == sql.ROW then
local id, salt, passhash = unpack(stmnt_author_acct:get_values())
stmnt_author_acct:reset()
print("salt:",salt)
print("passhash:",passhash)
local todigest = salt .. pass
local hash = sha3(todigest)
print("hash:",hash)
print("passhash:",passhash)
if hash == passhash then
print("Passfile accepted")
local session = start_session(id)
http_response_cookie(req,"session",session,"/",0,0)
local loc = string.format("https://%s.%s",name,domain)
@ -966,10 +754,12 @@ function login(req)
end
elseif err == sql.DONE then --Allows user enumeration, do we want this?
--Probably not a problem since all passwords are forced to be "good"
stmnt_author_acct:reset()
text = pages.login{
err = "Failed to find user:" .. name
}
else
stmnt_author_acct:reset()
error("Other sql error during login")
end
end
@ -977,36 +767,97 @@ function login(req)
http_response(req,200,text)
end
--Edit a story
function edit(req)
local host = http_request_get_host(req)
local path = http_request_get_path(req)
local method = http_method_text(req)
local author, author_id = get_session(req)
local ret
if method == "GET" then
http_request_populate_qs(req)
local story = assert(http_argument_get_string(req,"story"))
local story_id = decode_id(story)
print("we want to edit story:",story)
--Check that the logged in user is the owner of the story
--sql-side. If we're not the owner, we'll get 0 rows back.
stmnt_edit:bind_names{
postid = story_id
postid = story_id,
authorid = author_id
}
local err = do_sql(stmnt_edit)
print("err:",err)
if err == sql.DONE then
print("No such story to edit:",story_id)
--No rows, we're probably not the owner (it might
--also be because there's no such story)
ret = pages.cantedit{
path = story,
}
stmnt_edit:reset()
http_response(req,200,ret)
return
end
assert(err == sql.ROW)
local data = stmnt_edit:get_values()
local txt_compressed, markup, isanon = unpack(data)
for k,v in pairs(data) do
print(k,":",v)
end
local txt_compressed, markup, isanon, title = unpack(data)
local text = zlib.decompress(txt_compressed)
stmnt_edit:reset()
ret = pages.edit{
title = title,
text = text,
markup = markup,
user = author,
isanon = isanon == 1,
domain = domain,
story = story_id,
err = "",
}
elseif method == "POST" then
--TODO: same as paste?
--nope, need to replace the story instead of inserting a new one.
http_request_populate_post(req)
local storyid = tonumber(assert(http_argument_get_string(req,"story")))
local title = assert(http_argument_get_string(req,"title"))
local text = assert(http_argument_get_string(req,"text"))
local pasteas = assert(http_argument_get_string(req,"pasteas"))
local markup = assert(http_argument_get_string(req,"markup"))
stmnt_author_of:bind_names{
id = storyid
}
local err = do_sql(stmnt_author_of)
if err ~= sql.ROW then
stmnt_author_of:reset()
error("No author found for story:" .. storyid)
end
local data = stmnt_author_of:get_values()
stmnt_author_of:reset()
local realauthor = data[1]
assert(realauthor == author_id) --Make sure the author of the story is the currently logged in user
local parsed = parsers[markup](text)
local compr_raw = zlib.compress(text)
local compr = zlib.compress(parsed)
assert(stmnt_update_raw:bind_blob(1,compr_raw) == sql.OK)
assert(stmnt_update_raw:bind(2,markup) == sql.OK)
assert(stmnt_update_raw:bind(3,storyid) == sql.OK)
assert(do_sql(stmnt_update_raw) == sql.DONE, "Failed to update raw")
stmnt_update_raw:reset()
assert(stmnt_update:bind(1,title) == sql.OK)
assert(stmnt_update:bind_blob(2,compr) == sql.OK)
assert(stmnt_update:bind(3,pasteas == "anonymous" and 1 or 0) == sql.OK)
assert(stmnt_update:bind(4,storyid) == sql.OK)
assert(do_sql(stmnt_update) == sql.DONE, "Failed to update text")
stmnt_update:reset()
local id_enc = encode_id(storyid)
local loc = string.format("https://%s/%s",domain,id_enc)
dirty_cache(string.format("%s/%s",domain,id_enc)) -- This place to read this post
dirty_cache(string.format("%s",domain)) -- The site index (ex, if the author changed the paste from their's to "Anonymous", the cache should reflect that).
dirty_cache(string.format("%s.%s",author,domain)) -- The author's index, same reasoning as above.
http_response_header(req,"Location",loc)
http_response(req,303,"")
return
end
assert(ret)
http_response(req,200,ret)
end
--TODO
function edit_bio()
print("we want to edit bio")
end
@ -1023,5 +874,3 @@ function teardown()
end
print("Done with init.lua")
--[==[
]==]

View File

@ -21,7 +21,7 @@ local function sanitize(text)
return ret
end
--Grammer
--Grammar
local space = S" \t\r"^0
local special = P{
P"**" + P"''" + P"'''" +
@ -33,14 +33,14 @@ local word = Cs((1 - special)^1) * space / sanitize
--Generates a pattern that formats text inside matching 'seq' tags with format
--ex wrap("^^",[[<sup>%s</sup>]])
--will wrapp text "5^^3^^" as "5<sup>3</sup>"
--will wrap text "5^^3^^" as "5<sup>3</sup>"
local function wrap(seq,format)
return P(seq) * Cs(((1 - P(seq)) * space)^1) * P(seq) * space / function(a)
return string.format(format,sanitize(a))
end
end
--Generates a pattern that formats text inside openinig and closing "name" tags
--Generates a pattern that formats text inside opening and closing "name" tags
--with a format, BB forum style
local function tag(name,format)
local start_tag = P(string.format("[%s]",name))
@ -50,7 +50,7 @@ local function tag(name,format)
end
end
local grammer = P{
local grammar = P{
"chunk";
--regular
spoiler = wrap("**",[[<span class="spoiler">%s</span>]]),
@ -76,36 +76,36 @@ local grammer = P{
chunk = V"line"^0 * V"plainline" * V"ending"
}
--local text = [[
--this is **a big** test with ''italics''!
--we need to > sanitize < things that could be tags
--like really <b> badly </b>
--words can include any'single item without=penalty
--Can you use '''one tag ==within== another tag'''?
--let's see if [spoiler]spoiler tags work[/spoiler]
--things might even __go over
--multiple lines__ blah
--Let's test out those [code]
--code tag,s and see how well
--they work
--here's ome
--preformated <with injection>
--text
--[/code]
--> Or have blank lines
local text = [[
this is **a big** test with ''italics''!
we need to > sanitize < things that could be tags
like really <b> badly </b>
words can include any'single item without=penalty
Can you use '''one tag ==within== another tag'''?
let's see if [spoiler]spoiler tags work[/spoiler]
things might even __go over
multiple lines__ blah
Let's test out those [code]
code tag,s and see how well
they work
here's ome
preformated <with injection>
text
[/code]
> Or have blank lines
--one important thing is that greentext > should not start in the middle of a line
--> this next line is a green text, what if I include **markup** inside it?
--< and after '''it is''' a pinktext
--> because of some of these restrictions **bold text
--cannot go over multiple lines** in a green text
--__and finally__ there might be some text with '''
--incomplete syntax <b> with injection</b> !!!!
--]]
one important thing is that greentext > should not start in the middle of a line
> this next line is a green text, what if I include **markup** inside it?
< and after '''it is''' a pinktext
> because of some of these restrictions **bold text
cannot go over multiple lines** in a green text
__and finally__ there might be some text with '''
incomplete syntax <b> with injection</b> !!!!
]]
return function(text)
return table.concat({grammer:match(text .. "\n")}," ")
end
--for k,v in pairs({grammer:match(text)}) do
--print(k,":",v)
--return function(text)
--return table.concat({grammar:match(text .. "\n")}," ")
--end
for k,v in pairs({grammar:match(text)}) do
print(k,":",v)
end

View File

@ -6,8 +6,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<h1 class="title">

View File

@ -6,8 +6,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<h1 class="title">

View File

@ -4,8 +4,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body>
<main class="wrapper">

22
src/pages/cantedit.etlua Normal file
View File

@ -0,0 +1,22 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>&#128577</title>
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">
<h1 class="title">
&#128577;
</h1>
<div class="container">
<p>
You don't have permission to edit: <%= path %>
</p>
</div>
</main>
</body>
<body>

View File

@ -4,8 +4,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">

View File

@ -4,8 +4,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body>
<main class="wrapper">
@ -13,16 +13,23 @@
Paste
</h1>
<% if err then %><em class="error"><%= err %></em><% end %>
<form action="https://<%= user %>.<%= domain %>/_paste" method="post" class="container">
<form action="https://<%= user %>.<%= domain %>/_edit" method="post" class="container">
<fieldset>
<div class="row">
<input type="text" name="title" placeholder="Title" class="column column-80"></input>
<select id="pasteas" class="column column-10">
<input type="text" name="title" placeholder="Title" class="column column-80" value="<%= title %>"></input>
<input type="hidden" name="story" value="<%= story %>">
<select id="pasteas" name="pasteas" class="column column-10">
<% if isanon then %>
<option value="<%= user %>"><%= user %></option>
<option value="anonymous">anonymous</option>
<option value="anonymous" selected>Anonymous</option>
<% else %>
<option value="<%= user %>" selected><%= user %></option>
<option value="anonymous">Anonymous</option>
<% end %>
</select>
<select id="markup" class="column column-10">
<select id="markup" name="markup" class="column column-10">
<option value="plain">Plain</option>
<option value="imageboard">Imageboard</option>
</select>
</div>
<div class="row">

View File

@ -3,8 +3,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">

View File

@ -4,8 +4,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">
@ -19,7 +19,7 @@
<input type="text" name="user" id="user" placeholder="name">
<label for="pass">Passfile:</label>
<input type="file" name="pass" id="pass">
<input type="submit">
<input type="submit" value="Log In"/>
</fieldset>
</form>
<footer class="footer">

View File

@ -3,8 +3,8 @@
<head>
<meta charset="utf-8">
<title>&#128577</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">

View File

@ -3,8 +3,8 @@
<head>
<meta charset="utf-8">
<title>&#128577</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">

View File

@ -4,8 +4,8 @@
<head>
<meta charset="utf-8">
<title>&#x1f351;</title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body>
<main class="wrapper">

View File

@ -3,8 +3,8 @@
<head>
<meta charset="utf-8">
<title><%= title %></title>
<link href="/_css/style.css" rel="stylesheet">
<link href="/_css/milligram.css" rel="stylesheet">
<link href="/_css/style.css" rel="stylesheet">
</head>
<body class="container">
<main class="wrapper">

View File

@ -0,0 +1,8 @@
CREATE TABLE IF NOT EXISTS authors (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
name TEXT UNIQUE ON CONFLICT FAIL,
salt BLOB,
passhash BLOB,
joindate INTEGER,
biography TEXT
);

View File

@ -0,0 +1,9 @@
CREATE TABLE IF NOT EXISTS comments (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
postid REFERENCES posts(id) ON DELETE CASCADE,
author REFERENCES authors(id) ON DELETE CASCADE,
isanon INTEGER,
comment_text TEXT,
hashedip BLOB,
post_time INTEGER
);

View File

@ -0,0 +1,8 @@
CREATE TABLE IF NOT EXISTS images (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
name TEXT,
image BLOB,
authorid REFERENCES authors(id) ON DELETE CASCADE,
upload_time INTEGER,
hashedip BLOB
);

View File

@ -0,0 +1,9 @@
CREATE TABLE IF NOT EXISTS posts (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
post_text BLOB,
post_title TEXT,
authorid REFERENCES authors(id) ON DELETE CASCADE,
isanon INTEGER,
hashedip BLOB,
post_time INTEGER
);

View File

@ -0,0 +1,4 @@
CREATE TABLE IF NOT EXISTS raw_text (
id INTEGER PRIMARY KEY REFERENCES posts(id) ON DELETE CASCADE,
post_text BLOB,
markup TEXT

View File

@ -0,0 +1,5 @@
CREATE TABLE IF NOT EXISTS sessions (
key TEXT PRIMARY KEY,
author REFERENCES authors(id) ON DELETE CASCADE,
start INTEGER
);

View File

@ -0,0 +1,5 @@
CREATE TABLE IF NOT EXISTS tags (
id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
postid REFERENCES posts(id) ON DELETE CASCADE,
tag TEXT
);

View File

@ -0,0 +1,13 @@
INSERT OR IGNORE INTO authors (
name,
salt,
passhash,
joindate,
biography
) VALUES (
'anonymous',
'',
'',
strftime('%s','1970-01-01 00:00:00'),
''
);

13
src/sql/insert_author.sql Normal file
View File

@ -0,0 +1,13 @@
INSERT OR FAIL INTO authors (
name,
salt,
passhash,
joindate,
biography
) VALUES (
:name,
:salt,
:hash,
strftime('%s','now'),
''
);

15
src/sql/insert_post.sql Normal file
View File

@ -0,0 +1,15 @@
INSERT INTO posts (
post_text,
post_title,
authorid,
isanon,
hashedip,
post_time
) VALUES (
?,
?,
?,
?,
?,
strftime('%s','now')
);

5
src/sql/insert_raw.sql Normal file
View File

@ -0,0 +1,5 @@
INSERT INTO raw_text (
id, post_text, markup
) VALUES (
?, ?, ?
);

View File

@ -0,0 +1,9 @@
INSERT INTO sessions (
key,
author,
start
) VALUES (
:sessionid,
:authorid,
strftime('%s','now')
);

View File

@ -0,0 +1,14 @@
SELECT
posts.id,
posts.post_title,
posts.post_time
FROM
posts,
authors
WHERE
posts.isanon = 0 AND
posts.authorid = authors.id AND
authors.name = :author
ORDER BY
posts.post_time DESC
LIMIT 10;

View File

@ -0,0 +1,9 @@
SELECT
authors.id,
authors.name
FROM
authors,
posts
WHERE
posts.authorid = authors.id AND
posts.id = :id;

8
src/sql/select_edit.sql Normal file
View File

@ -0,0 +1,8 @@
SELECT
raw_text.post_text, raw_text.markup, posts.isanon, posts.post_title
FROM
raw_text, posts
WHERE
raw_text.id = posts.id AND
raw_text.id = :postid AND
posts.authorid = :authorid;

11
src/sql/select_post.sql Normal file
View File

@ -0,0 +1,11 @@
SELECT
post_title,
post_text,
posts.authorid,
posts.isanon,
authors.name
FROM
posts,authors
WHERE
posts.authorid = authors.id AND
posts.id = :id;

View File

@ -0,0 +1,25 @@
SELECT
posts.id,
posts.post_title,
posts.isanon,
posts.post_time,
authors.name
FROM
posts,
authors
WHERE
posts.authorid = authors.id
UNION
SELECT
posts.id,
posts.post_title,
posts.isanon,
posts.post_time,
'Anonymous'
FROM
posts
WHERE
posts.authorid = -1
ORDER BY
posts.post_time DESC
LIMIT 10;

View File

@ -0,0 +1,6 @@
SELECT authors.name, authors.id
FROM authors, sessions
WHERE
sessions.key = :key AND
sessions.author = authors.id AND
sessions.start - strftime('%s','now') < 60*60*24;

9
src/sql/update_post.sql Normal file
View File

@ -0,0 +1,9 @@
UPDATE
posts
SET
post_title = ?,
post_text = ?,
isanon = ?,
post_time = strftime('%s','now')
WHERE
posts.id = ?;

7
src/sql/update_raw.sql Normal file
View File

@ -0,0 +1,7 @@
UPDATE
raw_text
SET
post_text = ?,
markup = ?
WHERE
id = ?;