mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-26 14:02:41 +01:00
Safe work
This commit is contained in:
parent
f1d8746264
commit
83283bca4c
6 changed files with 40 additions and 16 deletions
2
gogs.go
2
gogs.go
|
@ -17,7 +17,7 @@ import (
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.5.6.1024 Beta"
|
const APP_VER = "0.5.6.1025 Beta"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||||
|
|
|
@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort
|
||||||
|
|
||||||
if len(labelIds) > 0 {
|
if len(labelIds) > 0 {
|
||||||
for _, label := range strings.Split(labelIds, ",") {
|
for _, label := range strings.Split(labelIds, ",") {
|
||||||
sess.And("label_ids like '%$" + label + "|%'")
|
// Prevent SQL inject.
|
||||||
|
if com.StrTo(label).MustInt() > 0 {
|
||||||
|
sess.And("label_ids like '%$" + label + "|%'")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1131,17 +1131,21 @@ type SearchOption struct {
|
||||||
Keyword string
|
Keyword string
|
||||||
Uid int64
|
Uid int64
|
||||||
Limit int
|
Limit int
|
||||||
|
Private bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// FilterSQLInject tries to prevent SQL injection.
|
||||||
|
func FilterSQLInject(key string) string {
|
||||||
|
key = strings.TrimSpace(key)
|
||||||
|
key = strings.Split(key, " ")[0]
|
||||||
|
key = strings.Replace(key, ",", "", -1)
|
||||||
|
return key
|
||||||
}
|
}
|
||||||
|
|
||||||
// SearchRepositoryByName returns given number of repositories whose name contains keyword.
|
// SearchRepositoryByName returns given number of repositories whose name contains keyword.
|
||||||
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
|
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
|
||||||
// Prevent SQL inject.
|
// Prevent SQL inject.
|
||||||
opt.Keyword = strings.TrimSpace(opt.Keyword)
|
opt.Keyword = FilterSQLInject(opt.Keyword)
|
||||||
if len(opt.Keyword) == 0 {
|
|
||||||
return repos, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
|
|
||||||
if len(opt.Keyword) == 0 {
|
if len(opt.Keyword) == 0 {
|
||||||
return repos, nil
|
return repos, nil
|
||||||
}
|
}
|
||||||
|
@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
|
||||||
if opt.Uid > 0 {
|
if opt.Uid > 0 {
|
||||||
sess.Where("owner_id=?", opt.Uid)
|
sess.Where("owner_id=?", opt.Uid)
|
||||||
}
|
}
|
||||||
|
if !opt.Private {
|
||||||
|
sess.And("is_private=false")
|
||||||
|
}
|
||||||
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
|
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
|
||||||
return repos, err
|
return repos, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) {
|
||||||
|
|
||||||
// SearchUserByName returns given number of users whose name contains keyword.
|
// SearchUserByName returns given number of users whose name contains keyword.
|
||||||
func SearchUserByName(opt SearchOption) (us []*User, err error) {
|
func SearchUserByName(opt SearchOption) (us []*User, err error) {
|
||||||
// Prevent SQL inject.
|
opt.Keyword = FilterSQLInject(opt.Keyword)
|
||||||
opt.Keyword = strings.TrimSpace(opt.Keyword)
|
|
||||||
if len(opt.Keyword) == 0 {
|
|
||||||
return us, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
|
|
||||||
if len(opt.Keyword) == 0 {
|
if len(opt.Keyword) == 0 {
|
||||||
return us, nil
|
return us, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) {
|
||||||
opt.Limit = 10
|
opt.Limit = 10
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check visibility.
|
||||||
|
if ctx.IsSigned && opt.Uid > 0 {
|
||||||
|
if ctx.User.Id == opt.Uid {
|
||||||
|
opt.Private = true
|
||||||
|
} else {
|
||||||
|
u, err := models.GetUserById(opt.Uid)
|
||||||
|
if err != nil {
|
||||||
|
ctx.JSON(500, map[string]interface{}{
|
||||||
|
"ok": false,
|
||||||
|
"error": err.Error(),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) {
|
||||||
|
opt.Private = true
|
||||||
|
}
|
||||||
|
// FIXME: how about collaborators?
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
repos, err := models.SearchRepositoryByName(opt)
|
repos, err := models.SearchRepositoryByName(opt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.JSON(500, map[string]interface{}{
|
ctx.JSON(500, map[string]interface{}{
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
0.5.6.1024 Beta
|
0.5.6.1025 Beta
|
Loading…
Reference in a new issue