Sort order parameter is not validated

general03 / flask-autoindex

Generates index page like mod_autoindex

https://flask-autoindex.readthedocs.io

MIT License

112 stars 35 forks source link

Sort order parameter is not validated #42

Closed gareth-rees closed 5 years ago

gareth-rees commented 5 years ago

The sort order comes from the order parameter in the request:

order = {'asc': 1, 'desc': -1}[request.args.get('order', 'asc')]

But you'll see that there's no validation of the parameter, so that passing ?order=bug results in a KeyError exception and a "500 Internal Server Error" response.

A more robust (and shorter!) alternative would be something like this:

order = -1 if request.args.get('order') == 'desc' else 1

general03 commented 5 years ago

Impossible to reproduce this issue