-
Notifications
You must be signed in to change notification settings - Fork 74
Conversation
d7e0a0d
to
c2822f8
Compare
Okay, good. Will review on the weekend.
…On Tue, 24 Sep 2019, 02:48 hat0r, ***@***.***> wrote:
Feature nobody asked for but everyone will love, or ignore, or whatever.
Allows clients to push videos to feed and watch them together with others.
Features:
- separate feed per thread
- ability to toggle it in board options, defaultly it's off
- time synchronization every 5 seconds
- democratic skip
- status on the top bar
- list with pending videos
- supports youtube, invidious and raw videos but other sources can be
fairly easily added
- domains for raw videos must be in whitelist to prevent IP leakage to
some shady servers,
whitelist is stored in server configuration and can be updated via fronted
- since commands are extracted from posts there is no additional spam
prevention
Youtube support is in separate commit since it requires external script
and I don't know if you want that, it's fetched only when it's needed
though.
------------------------------
You can view, comment on, or merge this pull request online at:
#1113
Commit Summary
- html templates: move board config to not cached part
- add cinema
- cinema: add youtube support
File Changes
- *M* Dockerfile
<https://github.com/bakape/meguca/pull/1113/files#diff-0> (5)
- *M* client/connection/messages.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-1> (4)
- *M* client/connection/ui.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-2> (27)
- *M* client/main.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-3> (7)
- *A* client/options/cinema.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-4> (269)
- *M* client/options/index.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-5> (2)
- *M* client/options/specs.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-6> (4)
- *M* client/posts/embed.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-7> (47)
- *M* client/state.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-8> (1)
- *M* client/util/index.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-9> (13)
- *M* client/util/time.ts
<https://github.com/bakape/meguca/pull/1113/files#diff-10> (17)
- *M* common/vars.go
<https://github.com/bakape/meguca/pull/1113/files#diff-11> (44)
- *M* common/websockets.go
<https://github.com/bakape/meguca/pull/1113/files#diff-12> (4)
- *M* config/config.go
<https://github.com/bakape/meguca/pull/1113/files#diff-13> (18)
- *M* config/structs.go
<https://github.com/bakape/meguca/pull/1113/files#diff-14> (2)
- *M* db/config.go
<https://github.com/bakape/meguca/pull/1113/files#diff-15> (12)
- *M* db/migrations.go
<https://github.com/bakape/meguca/pull/1113/files#diff-16> (7)
- *M* docs/installation.md
<https://github.com/bakape/meguca/pull/1113/files#diff-17> (6)
- *M* less/base.less
<https://github.com/bakape/meguca/pull/1113/files#diff-18> (9)
- *M* parser/body.go
<https://github.com/bakape/meguca/pull/1113/files#diff-19> (91)
- *M* parser/commands.go
<https://github.com/bakape/meguca/pull/1113/files#diff-20> (25)
- *M* parser/links.go
<https://github.com/bakape/meguca/pull/1113/files#diff-21> (4)
- *M* server/admin.go
<https://github.com/bakape/meguca/pull/1113/files#diff-22> (9)
- *M* server/init.go
<https://github.com/bakape/meguca/pull/1113/files#diff-23> (2)
- *M* static/src/lang/en_GB/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-24> (4)
- *M* static/src/lang/en_GB/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-25> (17)
- *M* static/src/lang/es_ES/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-26> (4)
- *M* static/src/lang/es_ES/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-27> (15)
- *M* static/src/lang/fr_FR/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-28> (2)
- *M* static/src/lang/fr_FR/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-29> (15)
- *M* static/src/lang/nl_NL/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-30> (2)
- *M* static/src/lang/nl_NL/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-31> (15)
- *M* static/src/lang/pl_PL/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-32> (6)
- *M* static/src/lang/pl_PL/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-33> (17)
- *M* static/src/lang/pt_BR/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-34> (2)
- *M* static/src/lang/pt_BR/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-35> (15)
- *M* static/src/lang/ru_RU/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-36> (2)
- *M* static/src/lang/ru_RU/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-37> (15)
- *M* static/src/lang/sk_SK/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-38> (2)
- *M* static/src/lang/sk_SK/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-39> (15)
- *M* static/src/lang/tr_TR/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-40> (2)
- *M* static/src/lang/tr_TR/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-41> (15)
- *M* static/src/lang/uk_UA/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-42> (2)
- *M* static/src/lang/uk_UA/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-43> (15)
- *M* static/src/lang/zh_TW/common.json
<https://github.com/bakape/meguca/pull/1113/files#diff-44> (2)
- *M* static/src/lang/zh_TW/server.json
<https://github.com/bakape/meguca/pull/1113/files#diff-45> (15)
- *M* static/statik/statik.go
<https://github.com/bakape/meguca/pull/1113/files#diff-46> (2)
- *M* templates/index.html
<https://github.com/bakape/meguca/pull/1113/files#diff-47> (9)
- *M* templates/index.html.go
<https://github.com/bakape/meguca/pull/1113/files#diff-48> (338)
- *M* templates/specs.go
<https://github.com/bakape/meguca/pull/1113/files#diff-49> (6)
- *M* templates/thread.html
<https://github.com/bakape/meguca/pull/1113/files#diff-50> (6)
- *M* templates/thread.html.go
<https://github.com/bakape/meguca/pull/1113/files#diff-51> (60)
- *A* util/exec_binary.go
<https://github.com/bakape/meguca/pull/1113/files#diff-52> (46)
- *A* websockets/feeds/cinema.go
<https://github.com/bakape/meguca/pull/1113/files#diff-53> (315)
- *M* websockets/feeds/feed.go
<https://github.com/bakape/meguca/pull/1113/files#diff-54> (17)
- *M* websockets/feeds/feeds.go
<https://github.com/bakape/meguca/pull/1113/files#diff-55> (53)
- *M* websockets/feeds/util.go
<https://github.com/bakape/meguca/pull/1113/files#diff-56> (8)
- *M* websockets/handlers.go
<https://github.com/bakape/meguca/pull/1113/files#diff-57> (4)
Patch Links:
- https://github.com/bakape/meguca/pull/1113.patch
- https://github.com/bakape/meguca/pull/1113.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1113>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB347MERGR3RSM4QFR53G23QLFIUNANCNFSM4IZVV42Q>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a fun feature, but there's some issues I see at the surface at least.
90c6383
to
d8f4d54
Compare
Don't take his remarks too much to heart. While calling external
applications is suboptimal, it's a better variant, if the implementation is
more reliable. I'll properly review this on the weekend. No need to make
any changes before then. I make the decisions here.
…On Thu, 26 Sep 2019, 00:33 チルノ, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In util/exec_binary.go
<#1113 (comment)>:
> @@ -0,0 +1,46 @@
+package util
so... this is... the power of... speedreading...
hahaha...
[image: 1423583808712]
<https://user-images.githubusercontent.com/30435868/65641303-099d7e80-dfb2-11e9-913b-10703ad79fda.jpg>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1113>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB347MELCJBABLKVPLWDNADQLPKIZANCNFSM4IZVV42Q>
.
|
I have a feeling this will be spammed to all hell, because |
Wouldn't that invalidate the whole point if only staff could queue up videos? |
https://github.com/bakape/meguca/pull/1113/files#diff-005d84183c08ef0f4deb6eb678de789bR55-R62 does prevent multiple pushes with |
Also why |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Server-crashing thread-safety issues and DoS attack vectors.
db/config.go
Outdated
@@ -135,7 +135,7 @@ func updateConfigs(_ string) error { | |||
config.Set(conf) | |||
mlog.Update() | |||
|
|||
return util.Parallel(templates.Recompile, auth.LoadCaptchaServices) | |||
return util.Parallel(templates.Recompile, auth.LoadCaptchaServices, common.ComputeVars) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please maintain an 80 column width.
db/config.go
Outdated
c.Created, c.DefaultCSS, c.Title, c.Notice, c.Rules, | ||
pq.StringArray(c.Eightball), | ||
c.Flags, c.NSFW, c.RbText, c.Pyu, c.Created, c.DefaultCSS, | ||
c.Title, c.Notice, c.Rules, c.CinemaEnabled, pq.StringArray(c.Eightball), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please maintain an 80 column width.
common/vars.go
Outdated
cinemaSources := []string{} | ||
|
||
invidiousUrlRegexpStr := `https?:\/\/(?:www\.)?invidio\.us\/watch(?:.*&|\?)v=(.+)(?:\?.+)*` | ||
InvidiousUrlRegexp = regexp.MustCompile(invidiousUrlRegexpStr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to recompute this on every function run. Move the initialization to the declaration.
cinemaSources = append(cinemaSources, invidiousUrlRegexpStr) | ||
|
||
youtubeUrlRegexpStr := `https?:\/\/(?:www\.)?youtube\.com\/watch(?:.*&|\?)v=(.+)(?:\?.+)*` | ||
YoutubeUrlRegexp = regexp.MustCompile(youtubeUrlRegexpStr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to recompute this on every function run. Move the initialization to the declaration.
common/vars.go
Outdated
ln := lang.Get() | ||
CinemaPushCommandRegexp = regexp.MustCompile(`^!` + ln.UI["cinemaPush"] + | ||
` (`+ strings.Join(cinemaSources, `|`) +`)$`) | ||
CinemaSkipCommandRegexp = regexp.MustCompile(`^!` + ln.UI["cinemaSkip"] + `$`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is run on config update and thus CinemaPushCommandRegexp
and CinemaSkipCommandRegexp
need a sync.RWMutex
guard. Since ensuring somebody uses a mutex across packages is not likely (somebody will forget eventually), please create getter functions that maintain the atomicity of grabbing a pointer to the regexp.
f.sendToAll(f.envelopSyncTime()) | ||
} | ||
case url := <-f.push: | ||
cv, err := parseUrl(url) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will block the entire thread's loop on external I/O - unacceptable, because this function can be triggered by anybody. Easy DoS. Please add a requirement to be the current board's staff to push videos.
websockets/feeds/cinema.go
Outdated
// start next | ||
if len(f.playlist) > 0 { | ||
cv := f.playlist[0] | ||
f.videoTimer = time.NewTimer(time.Duration(cv.Duration)*time.Millisecond).C |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Stop the previous timer to reduce goroutine usage, if any.
websockets/feeds/feed.go
Outdated
@@ -221,10 +227,19 @@ func (f *Feed) sendIPCount() { | |||
} | |||
ips[ip] = struct{}{} | |||
} | |||
|
|||
cf, ok := feeds.cinemaFeeds[f.id] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No mutex guard.
websockets/feeds/feed.go
Outdated
@@ -65,6 +67,8 @@ type Feed struct { | |||
moderatePost chan moderationMessage | |||
// Let sent sync counter | |||
lastSyncCount syncCount | |||
// trigger sending IP count/cinema status, fired from cinema feed loop | |||
sendIPCountChan chan int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A Feed
and and a cinemaFeed
don't have linked lifetimes, thus it is possible for this channel to cause blocked and thus leaked goroutines. Please use the global SendTo
function instead and delete this channel.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand what is your solution here. SendTo
buffers a message to all clients, but in order to make it I need information from main feed (IP, IP active count), which can only be obtained from its goroutine.
Maybe guard those two values with mutex in a separate struct as I've done in cinema feed and make sendIPCount
thread safe. Another option is to send the same message from cinema feed with values from main feed set to null, then client won't update them or entirely move cinema status to a different websocket message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right - SendTo()
is not what is needed. A better solution would be adding a reasonable buffer to sendIPCountChan
, say 16, and then using a non-blocking select send in the cinema feed. In case it's unclear, I mean this:
select {
case f.sendIPCountChan <- count:
default:
// Log error
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, sounds good, if I understand correctly that additional select is to catch error when the buffer is full?
@Chiiruno See the comments. Making |
@bakape I did, is guarding it behind captchouli not enough? |
@Chiiruno The Captchouli integration currently does not tie a solved captcha to an explicit action permission. It only checks, if a captcha had been solved recently enough. That is fine for stuff like server-local resource usage. but not fine for external I/O. You could just solve one captcha and then spam pushes to DoS the cinema. |
@bakape Well, from what I read, you can't do multiple pushes in one post, so even with that current blockage, it's only 3 posts (and thus 3 pushes) that you can DoS with until the next captchouli. |
Could also have !push automatically increase spam score to require another captcha from IP. |
That works.
…On Mon, 30 Sep 2019, 01:04 チルノ, ***@***.***> wrote:
Could also have !push automatically increase spam score to require another
captcha from IP.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1113>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB347MBQXEMCTYNWZNIJALDQMEQ5BANCNFSM4IZVV42Q>
.
|
Regarding that DoS on cinema push I thought about per goroutine push cooldown, e.g. 30 seconds and limit on playlist length, but captcha is more elegant. Playlist length limit would still be reasonable thing to do though.
I wanted to distinguish that it's not a word command but line command. First sign could go along with the command word to the language config, since they are already there |
All you should need to do is increase spam score to the captcha limit for that IP every !push and it should be good.
Playlist should definitely have a length limit, but it should only really be for extreme numbers like above... maybe 2048? To make sure we don't clog up things in the server with too much playlist data over time.
That makes sense, although |
So: incrementing captcha score by |
It is in that sense that there can't be anything else in its line. |
I'm fine with the |
Yes. It prevents goroutine leakage.
…On Tue, 1 Oct 2019, 16:41 hat0r, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In websockets/feeds/feed.go
<#1113 (comment)>:
> @@ -65,6 +67,8 @@ type Feed struct {
moderatePost chan moderationMessage
// Let sent sync counter
lastSyncCount syncCount
+ // trigger sending IP count/cinema status, fired from cinema feed loop
+ sendIPCountChan chan int
Ok, sounds good, if I understand correctly that additional select is to
catch error when the buffer is full?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1113>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB347MALVDNDPT67WR66GMLQMNHP7ANCNFSM4IZVV42Q>
.
|
above issues should be solved now |
|
that's right |
I'll do a second full review by the end of the week. Best be careful with
things that can crash the server.
…On Sun, 20 Oct 2019, 20:22 hat0r, ***@***.***> wrote:
that's right
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1113>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB347MCVPZ6FCFDPUGMPTUTQPSHUXANCNFSM4IZVV42Q>
.
|
sure |
Make thumbnails display:block.
Will readdress once new version is up and working. |
Feature nobody asked for but everyone will love, or ignore, or whatever.
Allows clients to push videos to feed and watch them together with others.
Features:
- separate feed per thread
- ability to toggle it in board options, defaultly it's off
- time synchronization every 5 seconds
- democratic skip
- status on the top bar
- list with pending videos
- supports youtube, invidious and raw videos but other sources can be fairly easily added
- domains for raw videos must be in whitelist to prevent IP leakage to some shady servers,
whitelist is stored in server configuration and can be updated via fronted
- since commands are extracted from posts there is no additional spam prevention
Youtube support is in separate commit since it requires external script and I don't know if you want that (and that feature at all), it's fetched only when it's needed though.
Demonstration: