From d4b6dd22bcb4061473e6a340c443ee580cad191b Mon Sep 17 00:00:00 2001
From: everpcpc <git@everpcpc.com>
Date: Mon, 27 May 2024 11:55:41 +0800
Subject: [PATCH] z

---
 web/handler/subject/browse.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/web/handler/subject/browse.go b/web/handler/subject/browse.go
index 05fb35d95..4dd3b177f 100644
--- a/web/handler/subject/browse.go
+++ b/web/handler/subject/browse.go
@@ -109,6 +109,9 @@ func parseBrowseQuery(c echo.Context) (*subject.BrowseFilter, error) {
 		if year, err := gstr.ParseInt32(yearStr); err != nil {
 			return nil, res.BadRequest(err.Error())
 		} else {
+			if year < 1900 || year > 3000 {
+				return nil, res.BadRequest("invalid year: " + yearStr)
+			}
 			filter.Year = null.Int32{Value: year, Set: true}
 		}
 	}
@@ -116,6 +119,9 @@ func parseBrowseQuery(c echo.Context) (*subject.BrowseFilter, error) {
 		if month, err := gstr.ParseInt8(monthStr); err != nil {
 			return nil, res.BadRequest(err.Error())
 		} else {
+			if month < 1 || month > 12 {
+				return nil, res.BadRequest("invalid month: " + monthStr)
+			}
 			filter.Month = null.Int8{Value: month, Set: true}
 		}
 	}