From 1c545349e9c17c9d1b7800c3b085ce6a0cff186a Mon Sep 17 00:00:00 2001 From: Yorhel Date: Mon, 22 Nov 2010 11:04:56 +0100 Subject: Added basic validation of the filter string fil_parse() now checks for proper formatting of the string and ignores key/value pairs that are not the list of allowed keys. This makes it impossible to provide extra, unintended, arguments to dbReleaseGet(), such as 'results'. --- lib/VNDB/Func.pm | 14 ++++++++++---- lib/VNDB/Handler/Releases.pm | 3 +-- 2 files changed, 11 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/VNDB/Func.pm b/lib/VNDB/Func.pm index 810fe622..11d442f4 100644 --- a/lib/VNDB/Func.pm +++ b/lib/VNDB/Func.pm @@ -95,13 +95,19 @@ sub minage { } +# arguments: $filter_string, @allowed_keys sub fil_parse { - return { map { - my($f, $v) = split /-/, $_, 2; + my $str = shift; + my %keys = map +($_,1), @_; + my %r; + for (split /\./, $str) { + next if !/^([a-z0-9_]+)-([a-zA-Z0-9_~]+)$/ || !$keys{$1}; + my($f, $v) = ($1, $2); my @v = split /~/, $v; s/_([0-9]{2})/$1 > $#fil_escape ? '' : $fil_escape[$1]/eg for(@v); - $f => @v > 1 ? \@v : @v - } split /\./, scalar shift }; + $r{$f} = @v > 1 ? \@v : $v[0] + } + return \%r; } diff --git a/lib/VNDB/Handler/Releases.pm b/lib/VNDB/Handler/Releases.pm index 63ea0922..36378212 100644 --- a/lib/VNDB/Handler/Releases.pm +++ b/lib/VNDB/Handler/Releases.pm @@ -492,8 +492,7 @@ sub browse { ); return 404 if $f->{_err}; - # TODO: validate the filter string? - my $fil = fil_parse $f->{fil}; + my $fil = fil_parse $f->{fil}, qw|type patch freeware doujin date_before date_after minage lang resolution plat med|; _fil_compat($self, $fil); $f->{fil} = fil_serialize($fil); -- cgit v1.2.3