Skip to content

Commit 83283bc

Browse files
committed
Safe work
1 parent f1d8746 commit 83283bc

File tree

6 files changed

+40
-16
lines changed

6 files changed

+40
-16
lines changed

Diff for: gogs.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ import (
1717
"github.com/gogits/gogs/modules/setting"
1818
)
1919

20-
const APP_VER = "0.5.6.1024 Beta"
20+
const APP_VER = "0.5.6.1025 Beta"
2121

2222
func init() {
2323
runtime.GOMAXPROCS(runtime.NumCPU())

Diff for: models/issue.go

+4-1
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort
211211

212212
if len(labelIds) > 0 {
213213
for _, label := range strings.Split(labelIds, ",") {
214-
sess.And("label_ids like '%$" + label + "|%'")
214+
// Prevent SQL inject.
215+
if com.StrTo(label).MustInt() > 0 {
216+
sess.And("label_ids like '%$" + label + "|%'")
217+
}
215218
}
216219
}
217220

Diff for: models/repo.go

+13-6
Original file line numberDiff line numberDiff line change
@@ -1131,17 +1131,21 @@ type SearchOption struct {
11311131
Keyword string
11321132
Uid int64
11331133
Limit int
1134+
Private bool
1135+
}
1136+
1137+
// FilterSQLInject tries to prevent SQL injection.
1138+
func FilterSQLInject(key string) string {
1139+
key = strings.TrimSpace(key)
1140+
key = strings.Split(key, " ")[0]
1141+
key = strings.Replace(key, ",", "", -1)
1142+
return key
11341143
}
11351144

11361145
// SearchRepositoryByName returns given number of repositories whose name contains keyword.
11371146
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
11381147
// Prevent SQL inject.
1139-
opt.Keyword = strings.TrimSpace(opt.Keyword)
1140-
if len(opt.Keyword) == 0 {
1141-
return repos, nil
1142-
}
1143-
1144-
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
1148+
opt.Keyword = FilterSQLInject(opt.Keyword)
11451149
if len(opt.Keyword) == 0 {
11461150
return repos, nil
11471151
}
@@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
11541158
if opt.Uid > 0 {
11551159
sess.Where("owner_id=?", opt.Uid)
11561160
}
1161+
if !opt.Private {
1162+
sess.And("is_private=false")
1163+
}
11571164
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
11581165
return repos, err
11591166
}

Diff for: models/user.go

+1-7
Original file line numberDiff line numberDiff line change
@@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) {
574574

575575
// SearchUserByName returns given number of users whose name contains keyword.
576576
func SearchUserByName(opt SearchOption) (us []*User, err error) {
577-
// Prevent SQL inject.
578-
opt.Keyword = strings.TrimSpace(opt.Keyword)
579-
if len(opt.Keyword) == 0 {
580-
return us, nil
581-
}
582-
583-
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
577+
opt.Keyword = FilterSQLInject(opt.Keyword)
584578
if len(opt.Keyword) == 0 {
585579
return us, nil
586580
}

Diff for: routers/api/v1/repos.go

+20
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) {
3131
opt.Limit = 10
3232
}
3333

34+
// Check visibility.
35+
if ctx.IsSigned && opt.Uid > 0 {
36+
if ctx.User.Id == opt.Uid {
37+
opt.Private = true
38+
} else {
39+
u, err := models.GetUserById(opt.Uid)
40+
if err != nil {
41+
ctx.JSON(500, map[string]interface{}{
42+
"ok": false,
43+
"error": err.Error(),
44+
})
45+
return
46+
}
47+
if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) {
48+
opt.Private = true
49+
}
50+
// FIXME: how about collaborators?
51+
}
52+
}
53+
3454
repos, err := models.SearchRepositoryByName(opt)
3555
if err != nil {
3656
ctx.JSON(500, map[string]interface{}{

Diff for: templates/.VERSION

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.5.6.1024 Beta
1+
0.5.6.1025 Beta

0 commit comments

Comments
 (0)