diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api/videos/update.ts | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/controllers/api/videos/update.ts')
| -rw-r--r-- | server/controllers/api/videos/update.ts | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts index 0a910379a..260dee2b9 100644 --- a/server/controllers/api/videos/update.ts +++ b/server/controllers/api/videos/update.ts | |||
| @@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU | |||
| 19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' | 19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' |
| 20 | import { VideoModel } from '../../../models/video/video' | 20 | import { VideoModel } from '../../../models/video/video' |
| 21 | import { VideoPathManager } from '@server/lib/video-path-manager' | 21 | import { VideoPathManager } from '@server/lib/video-path-manager' |
| 22 | import { forceNumber } from '@shared/core-utils' | ||
| 22 | 23 | ||
| 23 | const lTags = loggerTagsFactory('api', 'video') | 24 | const lTags = loggerTagsFactory('api', 'video') |
| 24 | const auditLogger = auditLoggerFactory('videos') | 25 | const auditLogger = auditLoggerFactory('videos') |
| @@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: { | |||
| 174 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options | 175 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options |
| 175 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) | 176 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) |
| 176 | 177 | ||
| 177 | const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10) | 178 | const newPrivacy = forceNumber(videoInfoToUpdate.privacy) |
| 178 | setVideoPrivacy(videoInstance, newPrivacy) | 179 | setVideoPrivacy(videoInstance, newPrivacy) |
| 179 | 180 | ||
| 180 | // Unfederate the video if the new privacy is not compatible with federation | 181 | // Unfederate the video if the new privacy is not compatible with federation |