From c97d9277ba0b5ee664e6a0918688bc51b68ea842 Mon Sep 17 00:00:00 2001
From: Dean Sheather <dean@deansheather.com>
Date: Sat, 30 Mar 2019 04:15:27 +1000
Subject: [PATCH] version 1.6.4: 400 on negative offset/limit

---
 lib/apierrors/errors.go   |  2 +-
 lib/routes/listobjects.go | 12 ++++++------
 main.go                   |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/apierrors/errors.go b/lib/apierrors/errors.go
index 8b0b1c3..67c9c10 100644
--- a/lib/apierrors/errors.go
+++ b/lib/apierrors/errors.go
@@ -33,7 +33,7 @@ var (
 	InvalidOffsetOrLimit = APIError{false, 400, "invalid offset or limit query paramters", false}
 
 	// OffsetTooLarge is a 400 bad request error.
-	OffsetTooLarge = APIError{false, 400, "offset is too big", false}
+	LimitTooLarge = APIError{false, 400, "limit is too big", false}
 
 	// NoObjectFound is a 404 not found error.
 	NoObjectFound = APIError{false, 404, "no object found", false}
diff --git a/lib/routes/listobjects.go b/lib/routes/listobjects.go
index 8647c39..c4a9058 100644
--- a/lib/routes/listobjects.go
+++ b/lib/routes/listobjects.go
@@ -15,7 +15,7 @@ import (
 )
 
 // Maximum objects per page
-const maxOffset = 100
+const maxLimit = 100
 
 // listObjectsResponse is the response format for ListObjects.
 type listObjectsResponse struct {
@@ -45,17 +45,17 @@ func ListObjects(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	l := query.Get("limit")
 	limit, err := strconv.Atoi(l)
-	if err != nil {
+	if err != nil || limit < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
+	if limit > maxLimit {
+		panic(apierrors.LimitTooLarge)
+	}
 	o := query.Get("offset")
 	offset, err := strconv.Atoi(o)
-	if err != nil {
+	if err != nil || offset < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
-	if limit > maxOffset {
-		panic(apierrors.OffsetTooLarge)
-	}
 	asc := false
 	if query.Get("order") == "asc" {
 		asc = true
diff --git a/main.go b/main.go
index 9049d1d..f3c2563 100644
--- a/main.go
+++ b/main.go
@@ -26,7 +26,7 @@ import (
 const (
 	configLocationUnix = "/etc/whats-this/api/config.toml"
 	shutdownTimeout    = 10 * time.Second
-	version            = "1.6.3"
+	version            = "1.6.4"
 )
 
 // printConfiguration iterates through a configuration map[string]interface{}
-- 
GitLab