diff options
| author | Unknwon <joe2010xtmf@163.com> | 2014-10-25 07:50:19 -0400 |
|---|---|---|
| committer | Unknwon <joe2010xtmf@163.com> | 2014-10-25 07:50:19 -0400 |
| commit | 83283bca4cb4e0f4ec48a28af680f0d88db3d2c8 (patch) | |
| tree | 665b81c242a4d92811568367eb53dc3ba5eb1247 /models | |
| parent | f1d87462642aa0ab4ce61e8a285e3a288b4dc119 (diff) | |
Safe work
Diffstat (limited to 'models')
| -rw-r--r-- | models/issue.go | 5 | ||||
| -rw-r--r-- | models/repo.go | 19 | ||||
| -rw-r--r-- | models/user.go | 8 |
3 files changed, 18 insertions, 14 deletions
diff --git a/models/issue.go b/models/issue.go index f16c2e25..8004647c 100644 --- a/models/issue.go +++ b/models/issue.go @@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort if len(labelIds) > 0 { for _, label := range strings.Split(labelIds, ",") { - sess.And("label_ids like '%$" + label + "|%'") + // Prevent SQL inject. + if com.StrTo(label).MustInt() > 0 { + sess.And("label_ids like '%$" + label + "|%'") + } } } diff --git a/models/repo.go b/models/repo.go index dc47b2e6..888dea1e 100644 --- a/models/repo.go +++ b/models/repo.go @@ -1131,17 +1131,21 @@ type SearchOption struct { Keyword string Uid int64 Limit int + Private bool +} + +// FilterSQLInject tries to prevent SQL injection. +func FilterSQLInject(key string) string { + key = strings.TrimSpace(key) + key = strings.Split(key, " ")[0] + key = strings.Replace(key, ",", "", -1) + return key } // SearchRepositoryByName returns given number of repositories whose name contains keyword. func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { // Prevent SQL inject. - opt.Keyword = strings.TrimSpace(opt.Keyword) - if len(opt.Keyword) == 0 { - return repos, nil - } - - opt.Keyword = strings.Split(opt.Keyword, " ")[0] + opt.Keyword = FilterSQLInject(opt.Keyword) if len(opt.Keyword) == 0 { return repos, nil } @@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { if opt.Uid > 0 { sess.Where("owner_id=?", opt.Uid) } + if !opt.Private { + sess.And("is_private=false") + } sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos) return repos, err } diff --git a/models/user.go b/models/user.go index 6b0f796b..ce85008b 100644 --- a/models/user.go +++ b/models/user.go @@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) { // SearchUserByName returns given number of users whose name contains keyword. func SearchUserByName(opt SearchOption) (us []*User, err error) { - // Prevent SQL inject. - opt.Keyword = strings.TrimSpace(opt.Keyword) - if len(opt.Keyword) == 0 { - return us, nil - } - - opt.Keyword = strings.Split(opt.Keyword, " ")[0] + opt.Keyword = FilterSQLInject(opt.Keyword) if len(opt.Keyword) == 0 { return us, nil } |