From e105d96c4d6c747abdb33a1d13e5218429d96358 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20M=C3=BCller?= <chrmllr@gmail.com>
Date: Sun, 24 Sep 2017 22:59:23 +0200
Subject: [PATCH] restricts export for fraudelent notes

---
 render.go |  2 +-
 server.go | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/render.go b/render.go
index 6745450..ce6f394 100644
--- a/render.go
+++ b/render.go
@@ -25,7 +25,7 @@ var (
 	rexpNewLine        = regexp.MustCompile("[\n\r]")
 	rexpNonAlphaNum    = regexp.MustCompile("[`~!@#$%^&*_|+=?;:'\",.<>{}\\/]")
 	rexpNoScriptIframe = regexp.MustCompile("<.*?(iframe|script).*?>")
-	rexpLink           = regexp.MustCompile("(ht|f)tp://[^\\s]+")
+	rexpLink           = regexp.MustCompile("(ht|f)tps?://[^\\s]+")
 
 	errorUnathorised = errors.New("password is wrong")
 	errorBadRequest  = errors.New("password is empty")
diff --git a/server.go b/server.go
index 410d218..071c481 100644
--- a/server.go
+++ b/server.go
@@ -78,8 +78,14 @@ func main() {
 	})
 
 	e.GET("/:id/export", func(c echo.Context) error {
+		id := c.Param("id")
 		n, code := load(c, db)
-		c.Logger().Debugf("/%s/export requested; response code: %d", n.ID, code)
+		defer incViews(n)
+		if fraudelent(n) {
+			code = http.StatusForbidden
+			n = statusNote(code)
+		}
+		c.Logger().Debugf("/%s/export requested; response code: %d", id, code)
 		if code == http.StatusOK {
 			return c.String(code, n.Text)
 		}
@@ -180,6 +186,10 @@ func main() {
 }
 
 func fraudelent(n *Note) bool {
+	res := rexpLink.FindAllString(n.Text, -1)
+	if len(res) < 3 {
+		return false
+	}
 	stripped := rexpLink.ReplaceAllString(n.Text, "")
 	l1 := len(n.Text)
 	l2 := len(stripped)