Conversation
### 🔒 Security Fixes **Critical** - **PoW bypass on replies** — proof-of-work verification was only enforced on new threads but not on replies. Replies now require a valid PoW nonce when the board has CAPTCHA enabled. - **PoW nonce replay** — the same proof-of-work solution could be submitted repeatedly. Used nonces are now tracked in memory and rejected within their 5-minute validity window. Stale entries are automatically pruned. **High** - **Removed inline JavaScript** — all inline `<script>` blocks and `onclick`/`onchange`/`onsubmit` attributes have been extracted into external `.js` files. The Content Security Policy now uses `script-src 'self'` with no `unsafe-inline`, closing a major XSS surface. - **Backup upload size cap** — the restore endpoints previously accepted uploads of unlimited size, risking out-of-memory crashes. Both full and board restore routes are now capped at 512 MiB.
- **Template module split** — the 2,736-line monolithic template file has been reorganized into five focused modules with no changes to the public API (all existing handler code works without modification)
- **Database module split** — the 2,264-line monolithic `db.rs` has been reorganized into five focused modules with zero call-site changes (all existing `db::` references compile unchanged)
… firing independently of per-board cooldown settings, causing false 429 errors. POST rate limiting has been moved out of middleware and into individual handlers where it renders as an inline error instead of a dead-end page. GET rate limiting remains in middleware for DoS protection. Admin sessions are now exempt from rate limits in both `create_thread` and `post_reply`. Fixed `create_thread` missing the admin exemption on per-board cooldowns that `post_reply` already had.
Drop the global POST rate limiter and make per-board post_cooldown_secs the sole post-rate control. Removed rate_limit_posts from Config and eliminated middleware-level POST checks; handlers (create_thread/post_reply) no longer call the removed check_post_rate_limit. Tighten GET rate-limiting: middleware now only counts navigational page requests, explicitly excludes /static/, /boards/, /admin/, and /api/ routes and requests with a chan_admin_session cookie, and returns an inline toast page on limit hit instead of a bare 429. Updated CHANGELOG and comments to reflect the behavioral changes.
Delete legacy board/thread DB/handler modules (src/db/board.rs, src/handlers/boards.rs, src/handlers/threads.rs) as part of a refactor/cleanup. Fix admin download to use async tokio::fs::read to avoid blocking, and guard post cooldown math by using saturating_sub in board/thread handlers to prevent negative underflow. (Cargo.lock version bump present in the diff.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[1.0.12] — 2026-03-07
🔄 Changed
threads.rs: added explicitROLLBACKon failedCOMMITto prevent dirty transaction state.mod.rs: addedsort_unstable+deduptopaths_safe_to_deleteto eliminate duplicate path entries.mod.rs: addedmedia_typeandedited_atcolumns to the baseCREATE TABLE postsschema to match the final migrated state.admin.rs: replaced inlined Post row mapper with sharedsuper::posts::map_postto eliminate duplication.admin.rs: clarifiedrun_wal_checkpointdoc comment on return tuple order.board.rs: fixed archive thumbnail path prefix from/static/to/boards/.board.rs: movedfmt_tsto the top-level import, removed redundant localuseinsidearchive_page.thread.rs: corrected misleading comment about embed and draft script loading.thread.rs: added doc comment documenting thebody_htmltrust precondition onrender_post.forms.rs: removed deadcaptcha_jsvariable and no-op string concatenation..greentext,.quote-link,.admin-thread-del-btn, duplicate.media-expanded,.media-rotate-btn,.thread-id-badge,.quote-block,.quote-toggle,.archive-heading,.autoupdate-bar,.video-player). Fixed two undefined CSS variable references (--font-mono→--font,--bg-body→--bg). Merged duplicate.file-containerblock into a single declaration.db.rshas been reorganized into five focused modules with zero call-site changes (all existingdb::references compile unchanged):mod.rs(466 lines) — connection pool, shared types (NewPost,CachedFile), schema initialization, shared helpersboards.rs(293 lines) — site settings, board CRUD, statsthreads.rs(333 lines) — thread listing, creation, mutation, archiving, pruningposts.rs(642 lines) — post CRUD, file deduplication, polls, job queue, worker helpersadmin.rs(558 lines) — admin sessions, bans, word filters, reports, mod log, ban appeals, IP history, maintenancemod.rs(392 lines) — shared infrastructure: site name/subtitle statics, base layout, pagination, timestamp formatting, utility helpersboard.rs(697 lines) — home page, board index, catalog, search, and archive renderingthread.rs(738 lines) — thread view, post rendering, polls, and post edit formadmin.rs(760 lines) — login page, admin panel, mod log, VACUUM results, IP historyforms.rs(198 lines) — new thread and reply forms, shared across board and thread pages🔒 Security Fixes
Critical
High
<script>blocks andonclick/onchange/onsubmitattributes have been extracted into external.jsfiles. The Content Security Policy now usesscript-src 'self'with nounsafe-inline, closing a major XSS surface.🐛 Fixes
check_post_rate_limitfunction that was silently overriding per-board cooldown settings. A board withpost_cooldown_secs = 0now correctly means zero cooldown. The per-board setting is the sole post rate control./api/post/*) were being counted against the navigational rate limit, causing false throttling on threads with many quote links. All/api/routes are now excluded alongside/static/,/boards/, and/admin/. The GET limiter now only covers page loads that a scraper would target (board index, catalog, archive, threads, search, home).