diff options
| author | xengineering <me@xengineering.eu> | 2023-04-22 20:38:25 +0200 |
|---|---|---|
| committer | xengineering <me@xengineering.eu> | 2023-04-28 10:44:19 +0200 |
| commit | fff3d70ba494214e434083c9d0e32f3def32138f (patch) | |
| tree | b26fd2753cea2653f465ded0a010768b69e263f4 | |
| parent | 205a36008672c7137e9190f243a9ba137d679e11 (diff) | |
| download | ceres-fff3d70ba494214e434083c9d0e32f3def32138f.tar ceres-fff3d70ba494214e434083c9d0e32f3def32138f.tar.zst ceres-fff3d70ba494214e434083c9d0e32f3def32138f.zip | |
Verify JSON input
Without verification the text input is simply saved to the file. This is
no problem for the recipe editing but since the json.Unmarshal functino
will also fail on the index and recipe page this recipe will simply
disappear from the web server while the file still exists on disk.
| -rw-r--r-- | handler.go | 12 |
1 files changed, 9 insertions, 3 deletions
@@ -1,6 +1,7 @@ package main import ( + "encoding/json" "fmt" "io/ioutil" "net/http" @@ -88,16 +89,21 @@ func recipeEditPost(w http.ResponseWriter, r *http.Request) { } idStr := r.Form["id"][0] - buffer := r.Form["text"][0] - idRegex := regexp.MustCompile(VALID_ID_REGEX) if !(idRegex.MatchString(idStr)) { http.Error(w, "Bad 'id' URL parameter.", 400) return } + buffer := []byte(r.Form["text"][0]) + err := json.Unmarshal(buffer, &recipe{}) + if err != nil { + http.Error(w, "Text input could not be parsed to recipe.", 400) + return + } + textpath := filepath.Join(config.Data, "recipes", idStr, "text") - err := ioutil.WriteFile(textpath, []byte(buffer), 0644) + err = ioutil.WriteFile(textpath, buffer, 0644) if err != nil { http.Error(w, "Could not save new text for recipe.", 500) } |