diff options
author | Yorhel <git@yorhel.nl> | 2010-11-22 11:04:56 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2010-11-22 11:04:56 +0100 |
commit | 1c545349e9c17c9d1b7800c3b085ce6a0cff186a (patch) | |
tree | b21cf89f3aa26356d8de383caea9535ad8bcce79 /lib/VNDB | |
parent | 8395dc9db24ebd4814e7dd5cade08ce1e41b559b (diff) |
Added basic validation of the filter string
fil_parse() now checks for proper formatting of the string and ignores
key/value pairs that are not the list of allowed keys. This makes it
impossible to provide extra, unintended, arguments to dbReleaseGet(),
such as 'results'.
Diffstat (limited to 'lib/VNDB')
-rw-r--r-- | lib/VNDB/Func.pm | 14 | ||||
-rw-r--r-- | lib/VNDB/Handler/Releases.pm | 3 |
2 files changed, 11 insertions, 6 deletions
diff --git a/lib/VNDB/Func.pm b/lib/VNDB/Func.pm index 810fe622..11d442f4 100644 --- a/lib/VNDB/Func.pm +++ b/lib/VNDB/Func.pm @@ -95,13 +95,19 @@ sub minage { } +# arguments: $filter_string, @allowed_keys sub fil_parse { - return { map { - my($f, $v) = split /-/, $_, 2; + my $str = shift; + my %keys = map +($_,1), @_; + my %r; + for (split /\./, $str) { + next if !/^([a-z0-9_]+)-([a-zA-Z0-9_~]+)$/ || !$keys{$1}; + my($f, $v) = ($1, $2); my @v = split /~/, $v; s/_([0-9]{2})/$1 > $#fil_escape ? '' : $fil_escape[$1]/eg for(@v); - $f => @v > 1 ? \@v : @v - } split /\./, scalar shift }; + $r{$f} = @v > 1 ? \@v : $v[0] + } + return \%r; } diff --git a/lib/VNDB/Handler/Releases.pm b/lib/VNDB/Handler/Releases.pm index 63ea0922..36378212 100644 --- a/lib/VNDB/Handler/Releases.pm +++ b/lib/VNDB/Handler/Releases.pm @@ -492,8 +492,7 @@ sub browse { ); return 404 if $f->{_err}; - # TODO: validate the filter string? - my $fil = fil_parse $f->{fil}; + my $fil = fil_parse $f->{fil}, qw|type patch freeware doujin date_before date_after minage lang resolution plat med|; _fil_compat($self, $fil); $f->{fil} = fil_serialize($fil); |