fix: security issue playlist deletion cross user

fixes #5777
2026-06-29 10:04:27 +00:00 · 2026-06-28 11:41:48 +02:00
parent efb9269e58
commit 7b9a8e3456
3 changed files with 10 additions and 6 deletions
--- a/src/invidious/database/playlists.cr
+++ b/src/invidious/database/playlists.cr
@@ -194,13 +194,13 @@ module Invidious::Database::PlaylistVideos
    PG_DB.exec(request, args: video_array)
  end
-  def delete(index)
+  def delete(index, plid : String)
    request = <<-SQL
      DELETE FROM playlist_videos *
-      WHERE index = $1
+      WHERE index = $1 AND plid = $2
    SQL
-    PG_DB.exec(request, index)
+    PG_DB.exec(request, index, plid)
  end
  def delete_by_playlist(plid : String)
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -364,7 +364,7 @@ module Invidious::Routes::API::V1::Authenticated
      return error_json(404, "Playlist does not contain index")
    end
-    Invidious::Database::PlaylistVideos.delete(index)
+    Invidious::Database::PlaylistVideos.delete(index, plid)
    Invidious::Database::Playlists.update_video_removed(plid, index)
    env.response.status_code = 204
--- a/src/invidious/routes/playlists.cr
+++ b/src/invidious/routes/playlists.cr
@@ -357,8 +357,12 @@ module Invidious::Routes::Playlists
      Invidious::Database::PlaylistVideos.insert(playlist_video)
      Invidious::Database::Playlists.update_video_added(playlist_id, playlist_video.index)
    when "remove_video"
-      index = env.params.query["set_video_id"]
+      index = env.params.query["set_video_id"].to_i64?
-      Invidious::Database::PlaylistVideos.delete(index)
+      if index.nil? || !playlist.index.includes? index
        return error_json(404, "Playlist does not contain index")
      end
      Invidious::Database::PlaylistVideos.delete(index, playlist_id)
      Invidious::Database::Playlists.update_video_removed(playlist_id, index)
    when "move_video_before"
      # TODO: Playlist stub