arian/navidrome
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fix(server): clear server-managed fields in savePlaylist to prevent injection via REST API

Browse Source 
Signed-off-by: Deluan <deluan@navidrome.org>
This commit is contained in:
Deluan
2026-03-05 20:56:16 -05:00
parent d2db41691e
commit f102036dc6
2 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/playlists/rest_adapter.go
+7 -1
View File
@@ -58,10 +58,16 @@ func (s *playlists) TracksRepository(ctx context.Context, playlistId string, ref
}
// savePlaylist creates a new playlist, assigning the owner from context.
// Only Name, Comment, Public, and Rules are user-settable via the REST API.
func (s *playlists) savePlaylist(ctx context.Context, pls *model.Playlist) (string, error) {
usr, _ := request.UserFrom(ctx)
pls.OwnerID = usr.ID
pls.ID = "" // Force new creation
pls.ID = "" // Force new creation
pls.Path = "" // Server-managed (M3U file path)
pls.Sync = false // Server-managed (M3U sync flag)
pls.UploadedImage = "" // Managed by image upload endpoint
pls.ExternalImageURL = "" // Managed by M3U import / plugins only
pls.EvaluatedAt = nil // Server-managed
err := s.ds.Playlist(ctx).Put(pls)
if err != nil {
return "", err