New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compose window removes words prefixed with dollar sign ($) #3270

Closed
joyeusenoelle opened this Issue May 23, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@joyeusenoelle
Contributor

joyeusenoelle commented May 23, 2017

On instances running any version of 1.4 (for example, mastodon.social), any word composed only of English letters (not numbers, punctuation, or non-English characters) in a newly-composed toot that is prefixed with a dollar sign ($) is removed from the toot after submission but before posting.

Examples:

Toot Expected Observed
I have $one. I have $one. I have .
I have $1. I have $1. I have $1.
I have $1one. I have $1one. I have $1one.
I have $one1. I have $one1. I have $one1.
I have $öne. I have $öne. I have $öne.

I suspect that some variable interpolation is occurring; if that's the case it could represent a security hole.


  • I searched or browsed the repo’s other issues to ensure this is not a duplicate.
  • This bug happens on a tagged release and not on master (If you're a user, don't worry about this).
@DJSundog

This comment has been minimized.

Show comment
Hide comment
@DJSundog

DJSundog May 23, 2017

Upon further poking of this bug from the web ui, it seems to only be some $-prefixed words - see https://toot-lab.reclaim.technology/@djsundog/399876 as an example.

DJSundog commented May 23, 2017

Upon further poking of this bug from the web ui, it seems to only be some $-prefixed words - see https://toot-lab.reclaim.technology/@djsundog/399876 as an example.

@joyeusenoelle

This comment has been minimized.

Show comment
Hide comment
@joyeusenoelle

joyeusenoelle May 24, 2017

Contributor

In addition to $summary, I've discovered some other words that aren't removed by the $-prefix:

$displayname
$username
$preferredusername

In addition, I've found that whatever is doing this counts a number of symbols as word breaks:

Input Output
$test-one -one
$test_two _two
$test–three $test–three
$test=four =four
$test.five .five
$test?six ?six
$test@seven @seven
$test#eight #eight
$test$nine $nine
$test^ten ^ten
$test*eleven *eleven
$test(twelve (twelve
$test)thirteen )thirteen
$test&fourteen &fourteen
$testöfifteen $testöfifteen
$test1sixteen $test1sixteen

Note line 9 in particular: $test$nine only removes $test and not $nine. The dash in line 3 is an en-dash , not a standard hyphen (which is line 1). Including a number or non-English glyph mid-word (lines 15 and 16) stops the word from being removed.

Obviously neither of these are exhaustive lists, but they might help in tracking the issue down.

Contributor

joyeusenoelle commented May 24, 2017

In addition to $summary, I've discovered some other words that aren't removed by the $-prefix:

$displayname
$username
$preferredusername

In addition, I've found that whatever is doing this counts a number of symbols as word breaks:

Input Output
$test-one -one
$test_two _two
$test–three $test–three
$test=four =four
$test.five .five
$test?six ?six
$test@seven @seven
$test#eight #eight
$test$nine $nine
$test^ten ^ten
$test*eleven *eleven
$test(twelve (twelve
$test)thirteen )thirteen
$test&fourteen &fourteen
$testöfifteen $testöfifteen
$test1sixteen $test1sixteen

Note line 9 in particular: $test$nine only removes $test and not $nine. The dash in line 3 is an en-dash , not a standard hyphen (which is line 1). Including a number or non-English glyph mid-word (lines 15 and 16) stops the word from being removed.

Obviously neither of these are exhaustive lists, but they might help in tracking the issue down.

ykzts added a commit to ykzts/mastodon that referenced this issue May 24, 2017

ykzts added a commit to ykzts/mastodon that referenced this issue May 24, 2017

gol-cha added a commit to gol-cha/mastodon that referenced this issue May 29, 2017

orekyuu added a commit to orekyuu/mastodon that referenced this issue May 31, 2017

YaQ00 added a commit to YaQ00/mastodon that referenced this issue Sep 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment