From c2b2181c7fe7947c5a3768ad35bfd20f74a81dc1 Mon Sep 17 00:00:00 2001
From: XANTRONIX Development <dev@xantronix.com>
Date: Sat, 30 Nov 2024 19:57:29 -0500
Subject: [PATCH] Prevent passing wrong number of args to POST

---
 lib/nntp/tiny/session.py | 84 +++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 49 deletions(-)

diff --git a/lib/nntp/tiny/session.py b/lib/nntp/tiny/session.py
index c2cbc02..259593c 100644
--- a/lib/nntp/tiny/session.py
+++ b/lib/nntp/tiny/session.py
@@ -740,11 +740,33 @@ class Session():
 
         return True
 
-    def _cmd_post(self):
+    def _post_impl(self, message_id=None):
         if self.perms is None or not self.perms & UserPermission.POST:
             return self.respond(ResponseCode.NNTP_POST_PROHIBITED)
 
-        self.respond(ResponseCode.NNTP_INQUIRY_ARTICLE)
+        if message_id:
+            sql = """
+                select
+                    count(message_id)
+                from
+                    message
+                where
+                    message_id = ?
+            """
+
+            cr  = self.db.execute(sql, (message_id,))
+            row = cr.fetchone()
+
+            if row is not None and row[0] > 0:
+                return self.respond(ResponseCode.NNTP_ARTICLE_NOT_WANTED_ID)
+
+            code_inquiry  = ResponseCode.NNTP_INQUIRY_ARTICLE_ID
+            code_received = ResponseCode.NNTP_ARTICLE_RECEIVED_ID
+        else:
+            code_inquiry  = ResponseCode.NNTP_INQUIRY_ARTICLE
+            code_received = ResponseCode.NNTP_ARTICLE_RECEIVED
+
+        self.respond(code_inquiry)
 
         message = Message()
 
@@ -754,63 +776,27 @@ class Session():
             if line == '':
                 self.active = False
                 break
-            elif line == '.':
+
+            stripped = line.rstrip()
+
+            if stripped == '.':
                 if self._save_message(message):
-                    return self.respond(ResponseCode.NNTP_ARTICLE_RECEIVED)
+                    return self.respond(code_received)
                 else:
                     return self.respond(ResponseCode.NNTP_POST_FAILED)
-            elif line == '..':
-                line = '.'
+            elif stripped == '..':
+                line = line[1:]
 
             try:
                 message.readline(line)
             except:
                 return self.respond(ResponseCode.NNTP_POST_FAILED)
 
+    def _cmd_post(self):
+        return self._post_impl()
+
     def _cmd_ihave(self, message_id):
-        if self.perms is None or not self.perms & UserPermission.POST:
-            return self.respond(ResponseCode.NNTP_POST_PROHIBITED)
-
-        sql = """
-            select
-                count(message_id)
-            from
-                message
-            where
-                message_id = ?
-        """
-
-        cr  = self.db.execute(sql, (message_id,))
-        row = cr.fetchone()
-
-        if row is not None and row[0] > 0:
-            return self.respond(ResponseCode.NNTP_ARTICLE_NOT_WANTED_ID)
-
-        self.respond(ResponseCode.NNTP_INQUIRY_ARTICLE_ID)
-
-        message = Message()
-
-        while True:
-            line = self.readline()
-
-            if line == '':
-                self.active = False
-                break
-            elif line == '.':
-                if message.message_id != message_id:
-                    return self.respond(ResponseCode.NNTP_POST_FAILED)
-
-                if self._save_message(message):
-                    return self.respond(ResponseCode.NNTP_ARTICLE_RECEIVED_ID)
-                else:
-                    return self.respond(ResponseCode.NNTP_POST_FAILED)
-            elif line == '..':
-                line = '.'
-
-            try:
-                message.readline(line)
-            except:
-                return self.respond(ResponseCode.NNTP_POST_FAILED)
+        return self._post_impl(message_id)
 
     def _cmd_date(self):
         timestamp = datetime.datetime.now(datetime.UTC)