mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-04 13:07:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Fix potential SQL injection in Smart Playlists

Browse source
This commit is contained in:
Deluan 2022-01-18 21:20:26 -05:00
parent 8c707b4e0c
commit 9e79b5cbf2
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
model/criteria/criteria.go
View file

@ -28,8 +28,8 @@ func (c Criteria) OrderBy() string {
f := fieldMap[strings.ToLower(c.Sort)] f := fieldMap[strings.ToLower(c.Sort)]
var mapped string var mapped string
if f == nil { if f == nil {
log.Error("Invalid field in 'sort' field", "field", c.Sort) log.Error("Invalid field in 'sort' field. Using 'title'", "sort", c.Sort)
mapped = c.Sort mapped = fieldMap["title"].field
} else { } else {
if f.order == "" { if f.order == "" {
mapped = f.field mapped = f.field
@ -38,7 +38,11 @@ func (c Criteria) OrderBy() string {
} }
} }
if c.Order != "" { if c.Order != "" {
mapped = mapped + " " + c.Order if strings.EqualFold(c.Order, "asc") || strings.EqualFold(c.Order, "desc") {
mapped = mapped + " " + c.Order
} else {
log.Error("Invalid value in 'order' field. Valid values: 'asc', 'desc'", "order", c.Order)
}
} }
return mapped return mapped
} }

2
scanner/tag_scanner.go
View file

@ -72,7 +72,7 @@ func (s *TagScanner) Scan(ctx context.Context, lastModifiedSince time.Time, prog
ctx = s.withAdminUser(ctx) ctx = s.withAdminUser(ctx)
start := time.Now() start := time.Now()
// Special case: if lastModifiedSInce is zero, re-import all files // Special case: if lastModifiedSince is zero, re-import all files
fullScan := lastModifiedSince.IsZero() fullScan := lastModifiedSince.IsZero()
allDBDirs, err := s.getDBDirTree(ctx) allDBDirs, err := s.getDBDirTree(ctx)