Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

more strict parameter parsing

  • Loading branch information...
commit 59bd97aaad8db7a34c6d0e997ed668c0482629e4 1 parent fca0995
Yohei Sasaki authored May 07, 2011

Showing 1 changed file with 6 additions and 2 deletions. Show diff stats Hide diff stats

  1. 8  apps/posts/app.js
8  apps/posts/app.js
@@ -99,9 +99,13 @@ ddoc.init = function(app, config){
99 99
           function(req, res, next){
100 100
             try{
101 101
               var y = parseInt(req.params.year);
102  
-              var m = parseInt(req.params.month[0] == '0' ? req.params.month[1] : req.params.month);
  102
+              var m = parseInt(req.params.month[0] == '0' ? req.params.month.substr(1) : req.params.month);
  103
+              if( m <= 0 || m > 12 ){
  104
+                throw new Error("invalid month parameter");
  105
+              }
103 106
             }catch(e){
104  
-              res.redirect('/');
  107
+              logger.warn('Invalid parameter request - ' + e + ' (' + req.url + ')');
  108
+              return res.redirect('/');
105 109
             }
106 110
             req.query.startkey = (new Date(y, m - 1, 1)).toJSON();
107 111
             req.query.endkey = (new Date(y, m , 1)).toJSON();

0 notes on commit 59bd97a

Please sign in to comment.
Something went wrong with that request. Please try again.