diff --git a/admin.go b/admin.go index 67e87a3..a5558ef 100644 --- a/admin.go +++ b/admin.go @@ -48,7 +48,7 @@ func deleteHandler(w http.ResponseWriter, r *http.Request, sess *Session) { var isNew bool ids := strings.Split(mux.Vars(r)["ids"], "/") for _, idStr := range ids { - if idStr == "" { + if !bson.IsObjectIdHex(idStr) { continue } @@ -79,11 +79,12 @@ func deleteHandler(w http.ResponseWriter, r *http.Request, sess *Session) { } func editHandler(w http.ResponseWriter, r *http.Request, sess *Session) { - if sess.User == "" { + idStr := mux.Vars(r)["id"] + if sess.User == "" || !bson.IsObjectIdHex(idStr) { notFound(w) return } - id := bson.ObjectIdHex(mux.Vars(r)["id"]) + id := bson.ObjectIdHex(idStr) books, _, err := db.GetBooks(bson.M{"_id": id}) if err != nil { notFound(w) @@ -107,12 +108,12 @@ func cleanEmptyStr(s []string) []string { } func saveHandler(w http.ResponseWriter, r *http.Request, sess *Session) { - if sess.User == "" { + idStr := mux.Vars(r)["id"] + if sess.User == "" || !bson.IsObjectIdHex(idStr) { notFound(w) return } - idStr := mux.Vars(r)["id"] id := bson.ObjectIdHex(idStr) title := r.FormValue("title") publisher := r.FormValue("publisher") @@ -210,7 +211,7 @@ func storeHandler(w http.ResponseWriter, r *http.Request, sess *Session) { var titles []string ids := strings.Split(mux.Vars(r)["ids"], "/") for _, idStr := range ids { - if idStr == "" { + if !bson.IsObjectIdHex(idStr) { continue } diff --git a/cover.go b/cover.go index ff9f220..dba08f3 100644 --- a/cover.go +++ b/cover.go @@ -23,6 +23,10 @@ import ( func coverHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) + if !bson.IsObjectIdHex(vars["id"]) { + notFound(w) + return + } id := bson.ObjectIdHex(vars["id"]) books, _, err := db.GetBooks(bson.M{"_id": id}) if err != nil || len(books) == 0 { diff --git a/reader.go b/reader.go index d030c3f..2664776 100644 --- a/reader.go +++ b/reader.go @@ -172,6 +172,9 @@ func readHandler(w http.ResponseWriter, r *http.Request, sess *Session) { func openReadEpub(w http.ResponseWriter, r *http.Request, sess *Session) (*epubgo.Epub, Book) { var book Book id := mux.Vars(r)["id"] + if !bson.IsObjectIdHex(id) { + return nil, book + } books, _, err := db.GetBooks(bson.M{"_id": bson.ObjectIdHex(id)}) if err != nil || len(books) == 0 { return nil, book @@ -194,7 +197,7 @@ func contentHandler(w http.ResponseWriter, r *http.Request, sess *Session) { vars := mux.Vars(r) id := vars["id"] file := vars["file"] - if file == "" { + if file == "" || !bson.IsObjectIdHex(id) { notFound(w) return } diff --git a/stats.go b/stats.go index 4751f46..53cc01a 100644 --- a/stats.go +++ b/stats.go @@ -60,18 +60,21 @@ func appendMuxVars(vars map[string]string, stats map[string]interface{}) { for key, value := range vars { switch { case key == "id": - stats["id"] = bson.ObjectIdHex(value) + if bson.IsObjectIdHex(value) { + stats["id"] = bson.ObjectIdHex(value) + } case key == "ids": var objectIds []bson.ObjectId ids := strings.Split(value, "/") for _, id := range ids { - if id == "" { - continue + if bson.IsObjectIdHex(value) { + objectIds = append(objectIds, bson.ObjectIdHex(id)) } - objectIds = append(objectIds, bson.ObjectIdHex(id)) } - stats["ids"] = objectIds - stats["id"] = objectIds[0] + if len(objectIds) > 0 { + stats["ids"] = objectIds + stats["id"] = objectIds[0] + } default: stats[key] = value } diff --git a/trantor.go b/trantor.go index d106a20..418f53e 100644 --- a/trantor.go +++ b/trantor.go @@ -48,9 +48,15 @@ type bookData struct { } func bookHandler(w http.ResponseWriter, r *http.Request, sess *Session) { + idStr := mux.Vars(r)["id"] + if !bson.IsObjectIdHex(idStr) { + notFound(w) + return + } + var data bookData data.S = GetStatus(w, r) - id := bson.ObjectIdHex(mux.Vars(r)["id"]) + id := bson.ObjectIdHex(idStr) books, _, err := db.GetBooks(bson.M{"_id": id}) if err != nil || len(books) == 0 { notFound(w) @@ -62,7 +68,13 @@ func bookHandler(w http.ResponseWriter, r *http.Request, sess *Session) { } func downloadHandler(w http.ResponseWriter, r *http.Request, sess *Session) { - id := bson.ObjectIdHex(mux.Vars(r)["id"]) + idStr := mux.Vars(r)["id"] + if !bson.IsObjectIdHex(idStr) { + notFound(w) + return + } + + id := bson.ObjectIdHex(idStr) books, _, err := db.GetBooks(bson.M{"_id": id}) if err != nil || len(books) == 0 { notFound(w)