FIX: add a basic validator for topic params

This cuts down on log noise when people try out sql injection
2025-05-31 09:48:06 +08:00 · 2018-08-14 17:01:04 +10:00
parent 402e570c77
commit ad5f502332
3 changed files with 45 additions and 1 deletions
--- a/app/controllers/list_controller.rb
+++ b/app/controllers/list_controller.rb
@ -371,7 +371,12 @@ class ListController < ApplicationController
    params[:tags] = [params[:tag_id].parameterize] if params[:tag_id].present? && guardian.can_tag_pms?

    TopicQuery.public_valid_options.each do |key|
-      options[key] = params[key]
+      if params.key?(key)
+        val = options[key] = params[key]
+        if !TopicQuery.validate?(key, val)
+          raise Discourse::InvalidParameters.new key
+        end
+      end
    end

    # hacky columns get special handling