From 3f666d2302f5ad78784f2e8a8362134652eed4b9 Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sun, 17 Nov 2019 21:40:32 +0000
Subject: [PATCH] Fix exception on badly-formed query string

---
 app/blueprints/packages/packages.py | 4 ++--
 app/blueprints/todo/__init__.py     | 5 +++--
 app/utils.py                        | 6 ++++++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/app/blueprints/packages/packages.py b/app/blueprints/packages/packages.py
index 1cc2f26..4e1e3af 100644
--- a/app/blueprints/packages/packages.py
+++ b/app/blueprints/packages/packages.py
@@ -52,8 +52,8 @@ def list_all():
 		if qb.search and topic:
 			return redirect("https://forum.minetest.net/viewtopic.php?t=" + str(topic.topic_id))
 
-	page  = int(request.args.get("page") or 1)
-	num   = min(40, int(request.args.get("n") or 100))
+	page  = get_int_or_abort(request.args.get("page"), 1)
+	num   = min(40, get_int_or_abort(request.args.get("n"), 100))
 	query = query.paginate(page, num, True)
 
 	search = request.args.get("q")
diff --git a/app/blueprints/todo/__init__.py b/app/blueprints/todo/__init__.py
index f4f818a..7cd9ee9 100644
--- a/app/blueprints/todo/__init__.py
+++ b/app/blueprints/todo/__init__.py
@@ -19,6 +19,7 @@ from flask_user import *
 import flask_menu as menu
 from app.models import *
 from app.querybuilder import QueryBuilder
+from app.utils import get_int_or_abort
 
 bp = Blueprint("todo", __name__)
 
@@ -82,8 +83,8 @@ def topics():
 	total = tmp_q.count()
 	topic_count = query.count()
 
-	page  = int(request.args.get("page") or 1)
-	num   = int(request.args.get("n") or 100)
+	page  = get_int_or_abort(request.args.get("page"), 1)
+	num   = get_int_or_abort(request.args.get("n"), 100)
 	if num > 100 and not current_user.rank.atLeast(UserRank.EDITOR):
 		num = 100
 
diff --git a/app/utils.py b/app/utils.py
index fd36392..102219d 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -22,6 +22,12 @@ from app.models import *
 from app import app
 import random, string, os, imghdr
 
+def get_int_or_abort(v, default):
+	try:
+		return int(v or default)
+	except ValueError:
+		abort(400)
+
 def getExtension(filename):
 	return filename.rsplit(".", 1)[1].lower() if "." in filename else None