API: Improve request parameter sanitation #1814

2025-12-12 00:34:13 +01:00 · 2021-12-14 18:34:52 +01:00
parent 9a8144c046
commit 4e94919030
34 changed files with 338 additions and 115 deletions
--- a/internal/api/photo_unstack.go
+++ b/internal/api/photo_unstack.go
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"path/filepath"

+	"github.com/photoprism/photoprism/pkg/sanitize"
+
 	"github.com/gin-gonic/gin"
 	"github.com/photoprism/photoprism/internal/acl"
 	"github.com/photoprism/photoprism/internal/entity"
@@ -31,7 +33,7 @@ func PhotoUnstack(router *gin.RouterGroup) {
 		}

 		conf := service.Config()
-		fileUID := c.Param("file_uid")
+		fileUID := sanitize.IdString(c.Param("file_uid"))
 		file, err := query.FileByUID(fileUID)

 		if err != nil {