diff options
| author | citrons <citrons@mondecitronne.com> | 2025-06-14 01:03:32 -0500 |
|---|---|---|
| committer | ubq323 <ubq323@ubq323.website> | 2025-06-14 10:17:34 +0100 |
| commit | 53f8b3fd8adf27ad8a4df5036a7776ff8f6d17cc (patch) | |
| tree | 17bfefd93ff58529a37cad111bec6b5b060ad600 | |
| parent | 6213212d133037c150988bccf622b90800be220b (diff) | |
properly check for invalid page numbers
| -rw-r--r-- | apioforum/forum.py | 7 | ||||
| -rw-r--r-- | apioforum/thread.py | 13 |
2 files changed, 12 insertions, 8 deletions
diff --git a/apioforum/forum.py b/apioforum/forum.py index 289cc40..b86fcc9 100644 --- a/apioforum/forum.py +++ b/apioforum/forum.py @@ -106,8 +106,6 @@ def set_updated(forum_id): @forum_route("",pagination=True) @requires_permission("p_view_forum", login_required=False) def view_forum(forum,page=1): - if page < 1: - abort(400) db = get_db() sortby = request.args.get("sortby","ad") @@ -171,8 +169,11 @@ def view_forum(forum,page=1): LEFT OUTER JOIN thread_tags ON threads.id = thread_tags.thread WHERE threads.forum = ? {tagfilter_clause}; """,(forum['id'],)).fetchone()['count'] - max_pageno = math.ceil(num_threads/THREADS_PER_PAGE) + if page < 1: + abort(404) + elif page > max_pageno and (max_pageno > 0 or page != 1): + abort(404) thread_tags = {} thread_polls = {} diff --git a/apioforum/thread.py b/apioforum/thread.py index 656d43d..fdd72e1 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -47,14 +47,20 @@ def post_jump(post_id,*,external=False): @bp.route("/<int:thread_id>") @bp.route("/<int:thread_id>/page/<int:page>") def view_thread(thread_id,page=1): - if page < 1: - abort(400) db = get_db() thread = db.execute("SELECT * FROM threads WHERE id = ?;",(thread_id,)).fetchone() if thread is None: abort(404) if not has_permission(thread['forum'], g.user, "p_view_threads", False): abort(403) + + num_posts = db.execute("SELECT count(*) as count FROM posts WHERE posts.thread = ?",(thread_id,)).fetchone()['count'] + max_pageno = math.ceil(num_posts/POSTS_PER_PAGE) + if page < 1: + abort(404) + elif page > max_pageno and (max_pageno > 0 or page != 1): + abort(404) + posts = db.execute(""" SELECT * FROM posts WHERE posts.thread = ? @@ -66,9 +72,6 @@ def view_thread(thread_id,page=1): (page-1)*POSTS_PER_PAGE, )).fetchall() - num_posts = db.execute("SELECT count(*) as count FROM posts WHERE posts.thread = ?",(thread_id,)).fetchone()['count'] - max_pageno = math.ceil(num_posts/POSTS_PER_PAGE) - tags = db.execute( """SELECT tags.* FROM tags INNER JOIN thread_tags ON thread_tags.tag = tags.id |