#3 Remove Vulnerability in Search/Addmusic

오픈
tarfeef1013 년 전을 오픈 · 1개의 코멘트
tarfeef101 코멘트됨, 3 년 전

Those commands can allow arbitrary host code execution, so we need to properly sanitize inputs and run these safely. This will also allow us to remove the whitelist. This was avoided for a long time because I didn't want to add syntax (delimiters) in multi-variable queries, but I think that'll be a necessary evil

Those commands can allow arbitrary host code execution, so we need to properly sanitize inputs and run these safely. This will also allow us to remove the whitelist. This was avoided for a long time because I didn't want to add syntax (delimiters) in multi-variable queries, but I think that'll be a necessary evil
tarfeef101 코멘트됨, 3 년 전
소유자

since the underlying beets API still matches substrings (e.g. to get the song "confusion", you CAN submit the query "confusio"), we can leverage special characters we can expect to be rare, for users to often exclude by default, and wouldn't appear in the middle of a word.

Specifically, using a comma to separate variables in a query string should be okay, since most users won't put those in even if they are technically in a song/artist/album name, they won't be in the middle of words (causing their omission to lose results), and if we really want to, we could even check the word following one to see if the user is trying to use a command, or if they are continuing the last search string, since that will only fail in the miniscule edge case of a search string where the comma is before a word equal to a keyword, but the user intended to match the song/artist/album, not start a new variable in their search string.

since the underlying beets API still matches substrings (e.g. to get the song "confusion", you CAN submit the query "confusio"), we can leverage special characters we can expect to be rare, for users to often exclude by default, and wouldn't appear in the middle of a word. Specifically, using a comma to separate variables in a query string should be okay, since most users won't put those in even if they are technically in a song/artist/album name, they won't be in the middle of words (causing their omission to lose results), and if we really want to, we could even check the word following one to see if the user is trying to use a command, or if they are continuing the last search string, since that will only fail in the miniscule edge case of a search string where the comma is before a word equal to a keyword, but the user intended to match the song/artist/album, not start a new variable in their search string.
로그인하여 이 대화에 참여
마일스톤 없음
담당자 없음
참여자 1명
로딩중...
취소
저장
아직 콘텐츠가 없습니다.