@@ -17,7 +17,7 @@ import ( | |||
"github.com/gogits/gogs/modules/setting" | |||
) | |||
const APP_VER = "0.5.6.1024 Beta" | |||
const APP_VER = "0.5.6.1025 Beta" | |||
func init() { | |||
runtime.GOMAXPROCS(runtime.NumCPU()) |
@@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort | |||
if len(labelIds) > 0 { | |||
for _, label := range strings.Split(labelIds, ",") { | |||
sess.And("label_ids like '%$" + label + "|%'") | |||
// Prevent SQL inject. | |||
if com.StrTo(label).MustInt() > 0 { | |||
sess.And("label_ids like '%$" + label + "|%'") | |||
} | |||
} | |||
} | |||
@@ -1131,17 +1131,21 @@ type SearchOption struct { | |||
Keyword string | |||
Uid int64 | |||
Limit int | |||
Private bool | |||
} | |||
// FilterSQLInject tries to prevent SQL injection. | |||
func FilterSQLInject(key string) string { | |||
key = strings.TrimSpace(key) | |||
key = strings.Split(key, " ")[0] | |||
key = strings.Replace(key, ",", "", -1) | |||
return key | |||
} | |||
// SearchRepositoryByName returns given number of repositories whose name contains keyword. | |||
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { | |||
// Prevent SQL inject. | |||
opt.Keyword = strings.TrimSpace(opt.Keyword) | |||
if len(opt.Keyword) == 0 { | |||
return repos, nil | |||
} | |||
opt.Keyword = strings.Split(opt.Keyword, " ")[0] | |||
opt.Keyword = FilterSQLInject(opt.Keyword) | |||
if len(opt.Keyword) == 0 { | |||
return repos, nil | |||
} | |||
@@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { | |||
if opt.Uid > 0 { | |||
sess.Where("owner_id=?", opt.Uid) | |||
} | |||
if !opt.Private { | |||
sess.And("is_private=false") | |||
} | |||
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos) | |||
return repos, err | |||
} |
@@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) { | |||
// SearchUserByName returns given number of users whose name contains keyword. | |||
func SearchUserByName(opt SearchOption) (us []*User, err error) { | |||
// Prevent SQL inject. | |||
opt.Keyword = strings.TrimSpace(opt.Keyword) | |||
if len(opt.Keyword) == 0 { | |||
return us, nil | |||
} | |||
opt.Keyword = strings.Split(opt.Keyword, " ")[0] | |||
opt.Keyword = FilterSQLInject(opt.Keyword) | |||
if len(opt.Keyword) == 0 { | |||
return us, nil | |||
} |
@@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) { | |||
opt.Limit = 10 | |||
} | |||
// Check visibility. | |||
if ctx.IsSigned && opt.Uid > 0 { | |||
if ctx.User.Id == opt.Uid { | |||
opt.Private = true | |||
} else { | |||
u, err := models.GetUserById(opt.Uid) | |||
if err != nil { | |||
ctx.JSON(500, map[string]interface{}{ | |||
"ok": false, | |||
"error": err.Error(), | |||
}) | |||
return | |||
} | |||
if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) { | |||
opt.Private = true | |||
} | |||
// FIXME: how about collaborators? | |||
} | |||
} | |||
repos, err := models.SearchRepositoryByName(opt) | |||
if err != nil { | |||
ctx.JSON(500, map[string]interface{}{ |
@@ -1 +1 @@ | |||
0.5.6.1024 Beta | |||
0.5.6.1025 Beta |