From 0a78d99a4db96c5181678acc46ca3dcc0d10c2b2 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Fri, 6 May 2016 15:40:41 -0400
Subject: models/release: filter input to prevent command line argument
 vulnerability

---
 models/issue.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'models/issue.go')

diff --git a/models/issue.go b/models/issue.go
index 27df4796a1..f16382ba14 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -546,9 +546,9 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
 		sess.Desc("created_unix")
 	}
 
-	if opts.Labels != "0" {
+	if len(opts.Labels) > 0 && opts.Labels != "0" {
 		labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
-		if opts.Labels != "" && len(labelIDs) > 0 {
+		if len(labelIDs) > 0 {
 			sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("label_id", labelIDs)
 		}
 	}
@@ -785,9 +785,9 @@ func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
 	countSession := func(opts *IssueStatsOptions) *xorm.Session {
 		sess := x.Where("issue.repo_id = ?", opts.RepoID).And("is_pull = ?", opts.IsPull)
 
-		if opts.Labels != "0" {
+		if len(opts.Labels) > 0 && opts.Labels != "0" {
 			labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
-			if opts.Labels != "" && len(labelIDs) > 0 {
+			if len(labelIDs) > 0 {
 				sess.Join("INNER", "issue_label", "issue.id = issue_id").In("label_id", labelIDs)
 			}
 		}
-- 
cgit v1.2.3