mirror of
https://github.com/navidrome/navidrome.git
synced 2025-04-04 13:07:36 +03:00
Fix potential SQL injection in Smart Playlists
This commit is contained in:
parent
8c707b4e0c
commit
9e79b5cbf2
2 changed files with 8 additions and 4 deletions
|
@ -28,8 +28,8 @@ func (c Criteria) OrderBy() string {
|
||||||
f := fieldMap[strings.ToLower(c.Sort)]
|
f := fieldMap[strings.ToLower(c.Sort)]
|
||||||
var mapped string
|
var mapped string
|
||||||
if f == nil {
|
if f == nil {
|
||||||
log.Error("Invalid field in 'sort' field", "field", c.Sort)
|
log.Error("Invalid field in 'sort' field. Using 'title'", "sort", c.Sort)
|
||||||
mapped = c.Sort
|
mapped = fieldMap["title"].field
|
||||||
} else {
|
} else {
|
||||||
if f.order == "" {
|
if f.order == "" {
|
||||||
mapped = f.field
|
mapped = f.field
|
||||||
|
@ -38,7 +38,11 @@ func (c Criteria) OrderBy() string {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if c.Order != "" {
|
if c.Order != "" {
|
||||||
mapped = mapped + " " + c.Order
|
if strings.EqualFold(c.Order, "asc") || strings.EqualFold(c.Order, "desc") {
|
||||||
|
mapped = mapped + " " + c.Order
|
||||||
|
} else {
|
||||||
|
log.Error("Invalid value in 'order' field. Valid values: 'asc', 'desc'", "order", c.Order)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return mapped
|
return mapped
|
||||||
}
|
}
|
||||||
|
|
|
@ -72,7 +72,7 @@ func (s *TagScanner) Scan(ctx context.Context, lastModifiedSince time.Time, prog
|
||||||
ctx = s.withAdminUser(ctx)
|
ctx = s.withAdminUser(ctx)
|
||||||
start := time.Now()
|
start := time.Now()
|
||||||
|
|
||||||
// Special case: if lastModifiedSInce is zero, re-import all files
|
// Special case: if lastModifiedSince is zero, re-import all files
|
||||||
fullScan := lastModifiedSince.IsZero()
|
fullScan := lastModifiedSince.IsZero()
|
||||||
|
|
||||||
allDBDirs, err := s.getDBDirTree(ctx)
|
allDBDirs, err := s.getDBDirTree(ctx)
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue