Skip to content

Commit

Permalink
Fix potential SQL injection in Smart Playlists
Browse files Browse the repository at this point in the history
  • Loading branch information
@deluan
deluan committed Jan 19, 2022
1 parent 8c707b4 commit 9e79b5c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
10 changes: 7 additions & 3 deletions model/criteria/criteria.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ func (c Criteria) OrderBy() string {
f := fieldMap[strings.ToLower(c.Sort)]
var mapped string
if f == nil {
log.Error("Invalid field in 'sort' field", "field", c.Sort)
mapped = c.Sort
log.Error("Invalid field in 'sort' field. Using 'title'", "sort", c.Sort)
mapped = fieldMap["title"].field
} else {
if f.order == "" {
mapped = f.field
Expand All @@ -38,7 +38,11 @@ func (c Criteria) OrderBy() string {
}
}
if c.Order != "" {
mapped = mapped + " " + c.Order
if strings.EqualFold(c.Order, "asc") || strings.EqualFold(c.Order, "desc") {
mapped = mapped + " " + c.Order
} else {
log.Error("Invalid value in 'order' field. Valid values: 'asc', 'desc'", "order", c.Order)
}
}
return mapped
}
Expand Down
2 changes: 1 addition & 1 deletion scanner/tag_scanner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ func (s *TagScanner) Scan(ctx context.Context, lastModifiedSince time.Time, prog
ctx = s.withAdminUser(ctx)
start := time.Now()

// Special case: if lastModifiedSInce is zero, re-import all files
// Special case: if lastModifiedSince is zero, re-import all files
fullScan := lastModifiedSince.IsZero()

allDBDirs, err := s.getDBDirTree(ctx)
Expand Down

0 comments on commit 9e79b5c

Please sign in to comment.