contact-store: disallow data: urls from being added

2024-11-13 08:38:43 +03:00 · 2021-04-19 14:38:33 -05:00 · 2021-04-19 14:38:33 -05:00 · fa59f87dc5
commit fa59f87dc5
parent 624e5c2692
1 changed files with 16 additions and 0 deletions
--- a/pkg/arvo/app/contact-store.hoon
+++ b/pkg/arvo/app/contact-store.hoon
@ -126,6 +126,14 @@
              !=(contact(last-updated *@da) u.old(last-updated *@da))
          ==
        [~ state]
+      ~|  "cannot add a data url to cover!"
+      ?>  ?|  ?=(~ cover.contact)
+              !=('data:' (cut 3 [0 5] u.cover.contact))
+          ==
+      ~|  "cannot add a data url to avatar!"
+      ?>  ?|  ?=(~ avatar.contact)
+              !=('data:' (cut 3 [0 5] u.avatar.contact))
+          ==
      :-  (send-diff [%add ship contact] =(ship our.bowl))
      state(rolodex (~(put by rolodex) ship contact))
    ::
@ -149,6 +157,14 @@
      =/  contact  (edit-contact old edit-field)
      ?:  =(old contact)
        [~ state]
+      ~|  "cannot add a data url to cover!"
+      ?>  ?|  ?=(~ cover.contact)
+              !=('data:' (cut 3 [0 5] u.cover.contact))
+          ==
+      ~|  "cannot add a data url to avatar!"
+      ?>  ?|  ?=(~ avatar.contact)
+              !=('data:' (cut 3 [0 5] u.avatar.contact))
+          ==
      =.  last-updated.contact  timestamp
      :-  (send-diff [%edit ship edit-field timestamp] =(ship our.bowl))
      state(rolodex (~(put by rolodex) ship contact))