Safe work

This commit is contained in:
Unknwon 2014-10-25 07:50:19 -04:00
parent f1d8746264
commit 83283bca4c
6 changed files with 40 additions and 16 deletions

View File

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.5.6.1024 Beta" const APP_VER = "0.5.6.1025 Beta"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

View File

@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort
if len(labelIds) > 0 { if len(labelIds) > 0 {
for _, label := range strings.Split(labelIds, ",") { for _, label := range strings.Split(labelIds, ",") {
sess.And("label_ids like '%$" + label + "|%'") // Prevent SQL inject.
if com.StrTo(label).MustInt() > 0 {
sess.And("label_ids like '%$" + label + "|%'")
}
} }
} }

View File

@ -1131,17 +1131,21 @@ type SearchOption struct {
Keyword string Keyword string
Uid int64 Uid int64
Limit int Limit int
Private bool
}
// FilterSQLInject tries to prevent SQL injection.
func FilterSQLInject(key string) string {
key = strings.TrimSpace(key)
key = strings.Split(key, " ")[0]
key = strings.Replace(key, ",", "", -1)
return key
} }
// SearchRepositoryByName returns given number of repositories whose name contains keyword. // SearchRepositoryByName returns given number of repositories whose name contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
// Prevent SQL inject. // Prevent SQL inject.
opt.Keyword = strings.TrimSpace(opt.Keyword) opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return repos, nil
}
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
if len(opt.Keyword) == 0 { if len(opt.Keyword) == 0 {
return repos, nil return repos, nil
} }
@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
if opt.Uid > 0 { if opt.Uid > 0 {
sess.Where("owner_id=?", opt.Uid) sess.Where("owner_id=?", opt.Uid)
} }
if !opt.Private {
sess.And("is_private=false")
}
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos) sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
return repos, err return repos, err
} }

View File

@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) {
// SearchUserByName returns given number of users whose name contains keyword. // SearchUserByName returns given number of users whose name contains keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) { func SearchUserByName(opt SearchOption) (us []*User, err error) {
// Prevent SQL inject. opt.Keyword = FilterSQLInject(opt.Keyword)
opt.Keyword = strings.TrimSpace(opt.Keyword)
if len(opt.Keyword) == 0 {
return us, nil
}
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
if len(opt.Keyword) == 0 { if len(opt.Keyword) == 0 {
return us, nil return us, nil
} }

View File

@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) {
opt.Limit = 10 opt.Limit = 10
} }
// Check visibility.
if ctx.IsSigned && opt.Uid > 0 {
if ctx.User.Id == opt.Uid {
opt.Private = true
} else {
u, err := models.GetUserById(opt.Uid)
if err != nil {
ctx.JSON(500, map[string]interface{}{
"ok": false,
"error": err.Error(),
})
return
}
if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) {
opt.Private = true
}
// FIXME: how about collaborators?
}
}
repos, err := models.SearchRepositoryByName(opt) repos, err := models.SearchRepositoryByName(opt)
if err != nil { if err != nil {
ctx.JSON(500, map[string]interface{}{ ctx.JSON(500, map[string]interface{}{

View File

@ -1 +1 @@
0.5.6.1024 Beta 0.5.6.1025 Beta