From 58f726311bcf26a8bda2df1b9c440000fe701058 Mon Sep 17 00:00:00 2001
From: lian <imwhatiam123@gmail.com>
Date: Wed, 23 Aug 2023 16:18:49 +0800
Subject: [PATCH] check share_to param

---
 seahub/api2/endpoints/repo_folder_share_info.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/seahub/api2/endpoints/repo_folder_share_info.py b/seahub/api2/endpoints/repo_folder_share_info.py
index ce4d7f1debe..7964e967dd4 100644
--- a/seahub/api2/endpoints/repo_folder_share_info.py
+++ b/seahub/api2/endpoints/repo_folder_share_info.py
@@ -45,6 +45,11 @@ def get(self, request, format=None):
             error_msg = 'repo_id invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
+        share_to = request.GET.get('share_to')
+        if share_to and share_to not in ('user', 'group'):
+            error_msg = 'share_to invalid.'
+            return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
         # resource check
         repo = seafile_api.get_repo(repo_id)
         if not repo:
@@ -58,8 +63,6 @@ def get(self, request, format=None):
 
         # get share inifo
         share_info_list = []
-        share_to = request.GET.get('share_to')
-
         try:
             seafile_db = SeafileDB()
         except Exception as e: