From 70bea7862f084265e56d48948299df6363c2f8f7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Paul=20H=C3=A4nsch?= <paul@plutz.net>
Date: Sat, 30 Nov 2019 13:53:40 +0100
Subject: [PATCH] prevent double submit of messages, use channel directories

---
 channel.sh | 16 ++++++++++++----
 index.cgi  |  7 +++++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/channel.sh b/channel.sh
index 1f86e52..4088994 100755
--- a/channel.sh
+++ b/channel.sh
@@ -7,13 +7,21 @@ fi
 
 case $(POST action) in
   create)
-    if [ ! -f "$chatfile" ]; then
+    if mkdir "${_DATA}/${LOCATION}"; then
       { randomid; printf ' '; STRING "$nickname"; echo; } >"$chatfile"
     fi
     REDIRECT "$(URL "/$LOCATION")"
     ;;
   submit)
-    if [ -f "$chatfile" -a "$channelkey" = "$(POST channelkey)" ]; then
+    read lasttime x <<-EOFread
+	$(tail -n 50 "$chatfile" |grep -F " $(STRING "$nickname"): " |tail -n1)
+	EOFread
+    if [ "$lasttime" ]; then
+      lasttime="$(date -d "${lasttime%_*} ${lasttime#*_}" +%s)"
+    else
+      lasttime=0
+    fi
+    if [ -f "$chatfile" -a "$channelkey" = "$(POST channelkey)" -a "$(POST timenonce)" -gt "$lasttime" ]; then
       printf "%s %s: %s\n" "$(date +%F_%T)" "$(STRING "$nickname")" "$(POST message |STRING)" >>"$chatfile"
     fi
     REDIRECT "$(URL "/$LOCATION")"
@@ -32,10 +40,10 @@ else
   { printf '
     [form #channel method="POST"
       [submit "action" "submit" style="display: none;"]
-      [input type=hidden name=channelkey value="%s"]
+      [input type=hidden name=channelkey value="%s"][input type=hidden name=timenonce value="%s"]
       [a .settings href="?settings#nick" Settings][input autocomplete="off" name="message" autofocus=true][submit "action" "submit" Send!]
     ]
-  ' "$channelkey"
+  ' "$channelkey" "$_DATE"
   SHESCAPE='s;[]&<>#."[];\\&;g;'
 
   while sleep 10; do printf '\n'; done &
diff --git a/index.cgi b/index.cgi
index 16bd904..194ac98 100755
--- a/index.cgi
+++ b/index.cgi
@@ -2,6 +2,7 @@
 
 _EXEC=.
 _DATA=.
+SESSION_TIMEOUT=43200
 . "$_EXEC/cgilite/logging.sh"
 . "$_EXEC/cgilite/cgilite.sh"
 . "$_EXEC/cgilite/session.sh"
@@ -13,7 +14,9 @@ LOCATION="${LOCATION%%/*}"
 
 yield_page(){
   page="$1"
-  printf 'Content-Type: text/html; charset=utf-8\r\n\r\n'
+  printf '%s\r\n' 'Content-Type: text/html; charset=utf-8' \
+                  "Content-Security-Policy: script-src 'none'" \
+                  ''
   { printf '[html
     [head
       [meta name="viewport" content="width=device-width"]
@@ -54,7 +57,7 @@ case ${LOCATION} in
     exit 0
     ;;
   \&?*)
-    chatfile="$_DATA/${LOCATION}"
+    chatfile="$_DATA/${LOCATION}/channel"
     . "$_EXEC/channel.sh"
     exit 0
     ;;
-- 
2.39.2