From 300c1ecd288b0c426924a5bbba57e4e34ecea50e Mon Sep 17 00:00:00 2001
From: wraith-54321 <69217972+wraith-54321@users.noreply.github.com>
Date: Mon, 9 Dec 2024 11:42:07 -0800
Subject: [PATCH 1/4] Update chem_master.dm

---
 .../chemistry/machinery/chem_master.dm        | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/code/modules/reagents/chemistry/machinery/chem_master.dm b/code/modules/reagents/chemistry/machinery/chem_master.dm
index 202b29287d9d..0a3b8abd8180 100644
--- a/code/modules/reagents/chemistry/machinery/chem_master.dm
+++ b/code/modules/reagents/chemistry/machinery/chem_master.dm
@@ -355,7 +355,24 @@ GLOBAL_LIST_INIT(chem_master_containers, list(
 		return TRUE
 
 	if(action == "selectContainer")
-		selected_container = params["ref"]
+		var/obj/item/reagent_containers/target = locate(params["ref"])
+
+		//is this even a valid type path
+		if(!ispath(target))
+			return FALSE
+
+		//are we printing a valid container
+		var/container_found = FALSE
+		for(var/category in printable_containers)
+			for(var/obj/item/reagent_containers/container as anything in printable_containers[category])
+				if(target == container)
+					container_found = TRUE
+					break
+		if(!container_found)
+			return FALSE
+
+		//set the container
+		selected_container = target
 		return TRUE
 
 	if(action == "create")

From 410c98af7b094ce18545089921472b614f2751b6 Mon Sep 17 00:00:00 2001
From: SyncIt21 <110812394+SyncIt21@users.noreply.github.com>
Date: Wed, 20 Nov 2024 23:54:42 +0530
Subject: [PATCH 2/4] Adds checks for plumbing pill press (#88002)

- Fixes #88001. Pllumbing pill press now reads the maximum volume of the
selected product instead of showing a constant of 50u. Patches have a
maximum volume of 40u so we send that to the UI
- Plumbing pill press now validates the selected container to see if
it's a valid printable option to prevent href exploits. It has the same
issue as #87779 but now that's fixed
- Plumbing pill press checks to see if the input volume is a number and
returns false to stop the UI from updating if not

:cl:
fix: plumbing pill press advertises the correct maximum volume of your
selected product instead of always 50u on the UI
code: plumbing pill press validates selected container to prevent href
exploits
code: plumbing pill press validates input volume to see if it's a number
/:cl:

From 89f6e8d6ec4e9ceccaac0252ab0911e5986f01fe Mon Sep 17 00:00:00 2001
From: wraith-54321 <69217972+wraith-54321@users.noreply.github.com>
Date: Mon, 9 Dec 2024 11:50:21 -0800
Subject: [PATCH 3/4] Update pill_press.dm

---
 code/modules/plumbing/plumbers/pill_press.dm | 84 +++++++++++++-------
 1 file changed, 56 insertions(+), 28 deletions(-)

diff --git a/code/modules/plumbing/plumbers/pill_press.dm b/code/modules/plumbing/plumbers/pill_press.dm
index 873177819cbe..e565bfc08cc9 100644
--- a/code/modules/plumbing/plumbers/pill_press.dm
+++ b/code/modules/plumbing/plumbers/pill_press.dm
@@ -1,7 +1,5 @@
 ///the minimum size of a pill or patch
 #define MIN_VOLUME 5
-///the maximum size a pill or patch can be
-#define MAX_VOLUME 50
 ///max amount of pills allowed on our tile before we start storing them instead
 #define MAX_FLOOR_PRODUCTS 10
 
@@ -12,16 +10,16 @@
 	icon_state = "pill_press"
 	///category for plumbing RCD
 	category="Storage"
-	/// current operating product (pills or patches)
-	var/product = "pill"
 	/// selected size of the product
 	var/current_volume = 10
+	/// maximum printable volume of the product
+	var/max_volume = 50
 	/// prefix for the product name
 	var/product_name = "factory"
 	/// All packaging types wrapped up in 1 big list
 	var/static/list/packaging_types = null
 	///The type of packaging to use
-	var/packaging_type
+	var/obj/item/reagent_containers/packaging_type
 	///Category of packaging
 	var/packaging_category
 	/// list of products stored in the machine, so we dont have 610 pills on one tile
@@ -53,34 +51,28 @@
 
 			packaging_types += list(category_item)
 
-	packaging_type = REF(GLOB.chem_master_containers[CAT_PILLS][1])
-	decode_category()
+	packaging_type = GLOB.reagent_containers[CAT_PILLS][1]
+	max_volume = initial(packaging_type.volume)
+	current_volume = clamp(current_volume, MIN_VOLUME, max_volume)
 
 	AddComponent(/datum/component/plumbing/simple_demand, bolt, layer)
 
+obj/machinery/plumbing/pill_press/Destroy(force)
+	QDEL_LAZYLIST(stored_products)
+	return ..()
+
 /obj/machinery/plumbing/pill_press/examine(mob/user)
 	. = ..()
 	. += span_notice("The [name] currently has [stored_products.len] stored. There needs to be less than [MAX_FLOOR_PRODUCTS] on the floor to continue dispensing.")
 
-/// decode product category from it's type path and returns the decoded typepath
-/obj/machinery/plumbing/pill_press/proc/decode_category()
-	var/obj/item/reagent_containers/container = locate(packaging_type)
-	if(ispath(container, /obj/item/reagent_containers/pill/patch))
-		packaging_category = CAT_PATCHES
-	else if(ispath(container, /obj/item/reagent_containers/pill))
-		packaging_category = CAT_PILLS
-	else
-		packaging_category = CAT_TUBES
-	return container
-
 /obj/machinery/plumbing/pill_press/process(seconds_per_tick)
 	if(!is_operational)
 		return
 
 	//shift & check to account for floating point inaccuracies
 	if(reagents.total_volume >= current_volume)
-		var/obj/item/reagent_containers/container = locate(packaging_type)
-		container = new container(src)
+		var/obj/item/reagent_containers/container = new packaging_type(src)
+
 		var/suffix
 		switch(packaging_category)
 			if(CAT_PILLS)
@@ -122,7 +114,6 @@
 	var/list/data = list()
 
 	data["min_volume"] = MIN_VOLUME
-	data["max_volume"] = MAX_VOLUME
 	data["packaging_types"] = packaging_types
 
 	return data
@@ -131,8 +122,9 @@
 	var/list/data = list()
 
 	data["current_volume"] = current_volume
+	data["max_volume"] = max_volume
 	data["product_name"] = product_name
-	data["packaging_type"] = packaging_type
+	data["packaging_type"] = REF(packaging_type)
 	data["packaging_category"] = packaging_category
 
 	return data
@@ -142,21 +134,57 @@
 	if(.)
 		return
 
-	. = TRUE
 	switch(action)
 		if("change_current_volume")
-			current_volume = round(clamp(text2num(params["volume"]), MIN_VOLUME, MAX_VOLUME))
+			var/value = params["volume"]
+			if(isnull(value))
+				return FALSE
+
+			value = text2num(value)
+			if(isnull(value))
+				return FALSE
+
+			current_volume = clamp(value, MIN_VOLUME, max_volume)
+			return TRUE
+
 		if("change_product_name")
 			var/formatted_name = html_encode(params["name"])
 			if (length(formatted_name) > MAX_NAME_LEN)
 				product_name = copytext(formatted_name, 1, MAX_NAME_LEN + 1)
 			else
 				product_name = formatted_name
+			return TRUE
+
 		if("change_product")
-			packaging_type = params["ref"]
-			var/obj/item/reagent_containers/container = decode_category()
-			current_volume = clamp(current_volume, MIN_VOLUME, initial(container.volume))
+			var/container = params["ref"]
+			if(!container)
+				return FALSE
+
+			//is a valid option
+			var/container_found = FALSE
+			for(var/list/category as anything in packaging_types)
+				if(container_found)
+					break
+				for(var/list/package_item as anything in category["products"])
+					if(container == package_item["ref"])
+						container_found = TRUE
+						break
+			if(!container_found)
+				return FALSE
+
+			//decode container & its category
+			packaging_type = locate(container)
+			if(ispath(packaging_type, /obj/item/reagent_containers/pill/patch))
+				packaging_category = CAT_PATCHES
+			else if(ispath(packaging_type, /obj/item/reagent_containers/pill))
+				packaging_category = CAT_PILLS
+			else
+				packaging_category = "Bottles"
+
+			//get new volumes
+			max_volume = initial(packaging_type.volume)
+			current_volume = clamp(current_volume, MIN_VOLUME, max_volume)
+			return TRUE
 
 #undef MIN_VOLUME
-#undef MAX_VOLUME
 #undef MAX_FLOOR_PRODUCTS

From 4995c53791aca33a50b424295ef4ea1858433869 Mon Sep 17 00:00:00 2001
From: wraith-54321 <69217972+wraith-54321@users.noreply.github.com>
Date: Mon, 9 Dec 2024 11:59:21 -0800
Subject: [PATCH 4/4] Update pill_press.dm

---
 code/modules/plumbing/plumbers/pill_press.dm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/code/modules/plumbing/plumbers/pill_press.dm b/code/modules/plumbing/plumbers/pill_press.dm
index e565bfc08cc9..931bf1d2fdfc 100644
--- a/code/modules/plumbing/plumbers/pill_press.dm
+++ b/code/modules/plumbing/plumbers/pill_press.dm
@@ -51,13 +51,13 @@
 
 			packaging_types += list(category_item)
 
-	packaging_type = GLOB.reagent_containers[CAT_PILLS][1]
+	packaging_type = GLOB.chem_master_containers[CAT_PILLS][1] //monkestation edit: reaplces GLOB.reagent_containers with GLOB.chem_master_containers
 	max_volume = initial(packaging_type.volume)
 	current_volume = clamp(current_volume, MIN_VOLUME, max_volume)
 
 	AddComponent(/datum/component/plumbing/simple_demand, bolt, layer)
 
-obj/machinery/plumbing/pill_press/Destroy(force)
+/obj/machinery/plumbing/pill_press/Destroy(force)
 	QDEL_LAZYLIST(stored_products)
 	return ..()