Commit 0eb5dc6cf73ccf4ac6861f11d65e655eb32def0a
oops, listen on localhost only (fix security vuln, thanks @cel)
Dominic Tarr committed on 2/22/2019, 9:24:08 AMParent: 9f6842d31239574b9aae7935976aeef22e7a67fa
Files changed
| index.js | changed |
| index.js | ||
|---|---|---|
| @@ -58,13 +58,8 @@ | ||
| 58 | 58 | }, |
| 59 | 59 | |
| 60 | 60 | //theme, in cookie |
| 61 | 61 | |
| 62 | - //renders immediately | |
| 63 | -// preview: function (opts, req, cb) { | |
| 64 | -// cb(null, opts) | |
| 65 | -// }, | |
| 66 | - | |
| 67 | 62 | publish: function (opts, req, cb) { |
| 68 | 63 | if(opts.content.recps === '') |
| 69 | 64 | delete opts.content.recps |
| 70 | 65 | else if('string' === typeof opts.content.recps) { |
| @@ -107,36 +102,18 @@ | ||
| 107 | 102 | function (req, res, next) { |
| 108 | 103 | if(req.method == 'GET') return next() |
| 109 | 104 | var id = req.cookies.id || sbot.id |
| 110 | 105 | var opts = req.body |
| 111 | -// function callApi (path, opts) { | |
| 112 | -// try { | |
| 113 | -// var fn = nested.get(apis, path) | |
| 114 | -// if(!fn) return next() | |
| 115 | -// return fn(opts, apply, req) | |
| 116 | -// } catch(err) { | |
| 117 | -// next(err) | |
| 118 | -// } | |
| 119 | -// } | |
| 120 | 106 | |
| 121 | 107 | // handle preview specially, (to confirm a message) |
| 122 | - // | |
| 123 | 108 | |
| 124 | 109 | if(opts.type === 'preview') { |
| 125 | 110 | // TODO: pass opts.id in, and wether this message |
| 126 | 111 | // preview should allow recipient selection, or changing id. |
| 127 | 112 | // api.preview can set the shape of the message if it likes. |
| 128 | 113 | |
| 129 | 114 | req.url = '/preview?'+QS.stringify(opts) |
| 130 | 115 | return coherence(req, res, next) |
| 131 | - | |
| 132 | - //XXX this isn't working | |
| 133 | - | |
| 134 | -// toHTML(layout.call(self, callApi(['preview'], opts))) (function (err, result) { | |
| 135 | -// if(err) next(err) | |
| 136 | -// else res.end('<!DOCTYPE html>'+result.outerHTML) | |
| 137 | -// }) | |
| 138 | -// return | |
| 139 | 116 | } |
| 140 | 117 | actions[opts.type](opts, req, function (err, _opts, context) { |
| 141 | 118 | if(err) return next(err) |
| 142 | 119 | if(context) { |
| @@ -165,10 +142,18 @@ | ||
| 165 | 142 | Static({ |
| 166 | 143 | root: path.join(__dirname, 'static'), baseDir: '/static' |
| 167 | 144 | }), |
| 168 | 145 | coherence |
| 169 | - )).listen(8005) | |
| 170 | -}) | |
| 146 | + )).listen(8005, 'localhost') | |
| 171 | 147 | |
| 148 | + /* | |
| 149 | + generic ssb invalidation | |
| 150 | + if a message links to another, invalidate the other key. | |
| 151 | + (this will get threads, likes, etc) | |
| 152 | + if a message links to a feed, invalidate the feed. | |
| 172 | 153 | |
| 154 | + that doesn't cover follows though... but maybe that can be invalidated | |
| 155 | + as one thing? | |
| 156 | + */ | |
| 157 | +}) | |
| 173 | 158 | |
| 174 | 159 | |
Built with git-ssb-web