yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-04 10:19:35 +02:00
Code Issues Releases Wiki Activity

Don't inject untrusted input

Browse source 
Even if it's already checked in middlewares
It's better to have safe modals too
This commit is contained in:
Chocobozzz 2022-11-15 14:41:55 +01:00
parent 6bcb559fc9
commit 4638cd713d
No known key found for this signature in database
GPG key ID: 583A612D890159BE
35 changed files with 101 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/controllers/download.ts
View file

@ -5,7 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
import { Hooks } from '@server/lib/plugins/hooks'
import { VideoPathManager } from '@server/lib/video-path-manager'
import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
import { addQueryParams } from '@shared/core-utils'
import { addQueryParams, forceNumber } from '@shared/core-utils'
import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@ -132,7 +132,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
}
function getVideoFile (req: express.Request, files: MVideoFile[]) {
const resolution = parseInt(req.params.resolution, 10)
const resolution = forceNumber(req.params.resolution)
return files.find(f => f.resolution === resolution)
}