pt
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix potential sql injection

This commit is contained in:
TheMelmacian 2023-11-26 22:21:16 +01:00
parent 1f4acf10d7
commit fb58c28676
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Emby.Server.Implementations/Data/SqliteItemRepository.cs
View File

@ -4378,16 +4378,28 @@ namespace Emby.Server.Implementations.Data
if (query.AudioLanguage.Length > 0)
{
var languages = string.Join(",", query.AudioLanguage.Select(lang => "'" + lang + "'"));
var languages = string.Join(", ", query.AudioLanguage.Select((lang, index) => $"@AudioLanguage_{index}"));
var undefinedLanguage = query.AudioLanguage.Contains("und") ? "or ms.Language is null" : string.Empty; // language with null value is handled as unddefined
mediaStreamsFilters.Add("SELECT CASE WHEN EXISTS (SELECT 1 FROM items JOIN MediaStreams ms ON ms.ItemId = items.ItemId AND ms.StreamType = 'Audio' AND (ms.Language in (" + languages + ") " + undefinedLanguage + ") limit 1) THEN TRUE ELSE FALSE END AS StreamFilterMatches");
var i = 0;
foreach (var lang in query.AudioLanguage)
{
statement?.TryBind($"@AudioLanguage_{i++}", lang);
}
}
if (query.SubtitleLanguage.Length > 0)
{
var languages = string.Join(",", query.SubtitleLanguage.Select(lang => "'" + lang + "'"));
var languages = string.Join(", ", query.SubtitleLanguage.Select((lang, index) => $"@SubtitleLanguage_{index}"));
var undefinedLanguage = query.SubtitleLanguage.Contains("und") ? "or ms.Language is null" : string.Empty; // language with null value is handled as unddefined
mediaStreamsFilters.Add("SELECT CASE WHEN EXISTS (SELECT 1 FROM items JOIN MediaStreams ms ON ms.ItemId = items.ItemId AND ms.StreamType = 'Subtitle' AND (ms.Language in (" + languages + ") " + undefinedLanguage + ") limit 1) THEN TRUE ELSE FALSE END AS StreamFilterMatches");
var i = 0;
foreach (var lang in query.SubtitleLanguage)
{
statement?.TryBind($"@SubtitleLanguage_{i++}", lang);
}
}
if (mediaStreamsFilters.Count > 0)