From bdad197e2cce46addf812d652b8706bbe042b532 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Mon, 27 Dec 2021 00:04:38 +0100
Subject: [PATCH] make it even worse

---
 bin/mtag/very-bad-idea.py | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/bin/mtag/very-bad-idea.py b/bin/mtag/very-bad-idea.py
index 54c29bee..c5d22c6b 100755
--- a/bin/mtag/very-bad-idea.py
+++ b/bin/mtag/very-bad-idea.py
@@ -1,10 +1,17 @@
 #!/usr/bin/env python3
 
 """
-use copyparty to xdg-open anything that is posted to it
+use copyparty to xdg-open anything that is posted to it,
+  and also xdg-open file uploads
+
+HELLA DANGEROUS,
+  GIVES RCE TO ANYONE WHO HAVE UPLOAD PERMISSIONS
 
 example copyparty config to use this:
   --urlform save,get -v.::w:c,e2d,e2t,mte=+a1:c,mtp=a1=ad,bin/mtag/very-bad-idea.py
+
+recommended deps:
+  apt install xdotool libnotify-bin
 """
 
 import os
@@ -14,11 +21,22 @@ from urllib.parse import unquote_to_bytes as unquote
 
 
 def main():
-    with open(os.path.abspath(sys.argv[1]), "rb") as f:
-        txt = f.read()
+    fp = os.path.abspath(sys.argv[1])
+    with open(fp, "rb") as f:
+        txt = f.read(4096)
 
+    if txt.startswith(b"msg="):
+        open_post(txt)
+    else:
+        open_url(fp)
+
+
+def open_post(txt):
     txt = unquote(txt.replace(b"+", b" ")).decode("utf-8")[4:]
+    open_url(txt)
 
+
+def open_url(txt):
     sp.call(["notify-send", "", txt])
     sp.call(["xdotool", "key", "ctrl+w"])
     sp.call(["xdg-open", txt])