From c0b561cb5ad601167f471aa4a50fba0366cd9f77 Mon Sep 17 00:00:00 2001 From: Ozzieisaacs Date: Sat, 1 May 2021 17:10:29 +0200 Subject: [PATCH] Better input check for custom_columns --- cps/admin.py | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/cps/admin.py b/cps/admin.py index c859eef5..fb01e24e 100644 --- a/cps/admin.py +++ b/cps/admin.py @@ -473,6 +473,21 @@ def update_table_settings(): return "Invalid request", 400 return "" +def check_valid_read_column(column): + if column is not "0": + if not calibre_db.session.query(db.Custom_Columns).filter(db.Custom_Columns.id == column) \ + .filter(and_(db.Custom_Columns.datatype == 'bool', db.Custom_Columns.mark_for_delete == 0)).all(): + return False + return True + +def check_valid_restricted_column(column): + if column is not "0": + if not calibre_db.session.query(db.Custom_Columns).filter(db.Custom_Columns.id == column) \ + .filter(and_(db.Custom_Columns.datatype == 'text', db.Custom_Columns.mark_for_delete == 0)).all(): + return False + return True + + @admi.route("/admin/viewconfig", methods=["POST"]) @login_required @@ -488,12 +503,23 @@ def update_view_configuration(): if _config_string("config_title_regex"): calibre_db.update_title_sort(config) + if not check_valid_read_column(to_save.get("config_read_column", "0")): + flash(_(u"Invalid Read Column"), category="error") + log.debug("Invalid Read column") + return view_configuration() _config_int("config_read_column") + + if not check_valid_restricted_column(to_save.get("config_restricted_column", "0")): + flash(_(u"Invalid Restricted Column"), category="error") + log.debug("Invalid Restricted Column") + return view_configuration() + _config_int("config_restricted_column") + _config_int("config_theme") _config_int("config_random_books") _config_int("config_books_per_page") _config_int("config_authors_max") - _config_int("config_restricted_column") + config.config_default_role = constants.selected_roles(to_save) config.config_default_role &= ~constants.ROLE_ANONYMOUS