From 53f8b3fd8adf27ad8a4df5036a7776ff8f6d17cc Mon Sep 17 00:00:00 2001
From: citrons <citrons@mondecitronne.com>
Date: Sat, 14 Jun 2025 01:03:32 -0500
Subject: properly check for invalid page numbers

---
 apioforum/forum.py  |  7 ++++---
 apioforum/thread.py | 13 ++++++++-----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/apioforum/forum.py b/apioforum/forum.py
index 289cc40..b86fcc9 100644
--- a/apioforum/forum.py
+++ b/apioforum/forum.py
@@ -106,8 +106,6 @@ def set_updated(forum_id):
 @forum_route("",pagination=True)
 @requires_permission("p_view_forum", login_required=False)
 def view_forum(forum,page=1):
-    if page < 1:
-        abort(400)
     db = get_db()
 
     sortby = request.args.get("sortby","ad")
@@ -171,8 +169,11 @@ def view_forum(forum,page=1):
         LEFT OUTER JOIN thread_tags ON threads.id = thread_tags.thread
         WHERE threads.forum = ? {tagfilter_clause};
     """,(forum['id'],)).fetchone()['count']
-
     max_pageno = math.ceil(num_threads/THREADS_PER_PAGE)
+    if page < 1:
+        abort(404)
+    elif page > max_pageno and (max_pageno > 0 or page != 1):
+        abort(404)
     
     thread_tags = {}
     thread_polls = {}
diff --git a/apioforum/thread.py b/apioforum/thread.py
index 656d43d..fdd72e1 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -47,14 +47,20 @@ def post_jump(post_id,*,external=False):
 @bp.route("/<int:thread_id>")
 @bp.route("/<int:thread_id>/page/<int:page>")
 def view_thread(thread_id,page=1):
-    if page < 1:
-        abort(400)
     db = get_db()
     thread = db.execute("SELECT * FROM threads WHERE id = ?;",(thread_id,)).fetchone()
     if thread is None:
         abort(404)
     if not has_permission(thread['forum'], g.user, "p_view_threads", False):
         abort(403)
+
+    num_posts = db.execute("SELECT count(*) as count FROM posts WHERE posts.thread = ?",(thread_id,)).fetchone()['count']
+    max_pageno = math.ceil(num_posts/POSTS_PER_PAGE)
+    if page < 1:
+        abort(404)
+    elif page > max_pageno and (max_pageno > 0 or page != 1):
+        abort(404)
+
     posts = db.execute("""
         SELECT * FROM posts
         WHERE posts.thread = ?
@@ -66,9 +72,6 @@ def view_thread(thread_id,page=1):
             (page-1)*POSTS_PER_PAGE,
         )).fetchall()
 
-    num_posts = db.execute("SELECT count(*) as count FROM posts WHERE posts.thread = ?",(thread_id,)).fetchone()['count']
-    max_pageno = math.ceil(num_posts/POSTS_PER_PAGE)
-    
     tags = db.execute(
         """SELECT tags.* FROM tags
         INNER JOIN thread_tags ON thread_tags.tag = tags.id
-- 
cgit v1.2.3