fixes GHSA-hq29-8hhx-5jwc [search] check input parameter ratings

2026-06-26 13:01:14 +02:00 · 2026-06-25 13:29:59 +02:00
parent 2357a86d51
commit 9755d88edf
2 changed files with 9 additions and 1 deletions
@@ -637,7 +637,7 @@ SELECT
      }
      else
      {
-        $filter_clauses[] = '(rating_score >= '.(intval($r)-1).' AND rating_score < '.$r.')';
+        $filter_clauses[] = '(rating_score >= '.(intval($r)-1).' AND rating_score < '.intval($r).')';
      }
    }

@@ -1039,6 +1039,14 @@ function ws_images_filteredSearch_create($params, $service)

  if ($conf['rate'] and isset($params['ratings']))
  {
+    foreach ($params['ratings'] as $rate)
+    {
+      if (!preg_match('/^\d+$/i', $rate))
+      {
+        return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid parameter ratings');
+      }
+    }
+
    $search['fields']['ratings'] = $params['ratings'];
  }