Merge pull request #3702 from reosarevok/MBS-14231

reosarevok · web-flow · commit 5730b744d7bd · 2026-01-12T17:16:29.000+01:00
MBS-14231: Block API POST of tags with commas
diff --git a/lib/MusicBrainz/Server/Controller/WS/2/Tag.pm b/lib/MusicBrainz/Server/Controller/WS/2/Tag.pm
@@ -112,6 +112,13 @@ sub tag_submit : Private
                     $self->_error($c, 'Unrecognized vote type: ' . $vote);
                 }
             }
+            # Block upvoting and downvoting tags with commas, which are not
+            # properly supported by the UI. Still allow withdrawing tags
+            # with commas to delete legacy tags.
+            if ($name =~ /,/ && $vote ne 'withdraw') {
+                $self->_error($c, 'The tag name cannot contain commas. To submit multiple tags, send multiple user-tag elements.');
+            }
+
             push @{ $submit->{$name} //= [] }, [$model, $vote, $entity->id];
         }
 
diff --git a/t/lib/t/MusicBrainz/Server/Controller/WS/2/Authenticated.pm b/t/lib/t/MusicBrainz/Server/Controller/WS/2/Authenticated.pm
@@ -318,4 +318,78 @@ test 'Empty tag names are disallowed' => sub {
     is_xml_same($mech->content, $error_message);
 };
 
+
+test 'Tags with commas are disallowed' => sub {
+    my $test = shift;
+    my $c = $test->c;
+    my $mech = $test->mech;
+
+    MusicBrainz::Server::Test->prepare_test_database($c, '+edit_recording');
+    MusicBrainz::Server::Test->prepare_test_database($c, <<~'SQL');
+        SELECT setval('tag_id_seq', (SELECT MAX(id) FROM tag));
+        INSERT INTO editor (id, name, password, ha1)
+            VALUES (1, 'new_editor', '{CLEARTEXT}password', 'e1dd8fee8ee728b0ddc8027d3a3db478')
+        SQL
+
+    my $error_message = <<~'EOXML';
+        <?xml version="1.0"?>
+        <error>
+            <text>The tag name cannot contain commas. To submit multiple tags, send multiple user-tag elements.</text>
+            <text>For usage, please see: https://musicbrainz.org/development/mmd</text>
+        </error>
+        EOXML
+
+    $mech->default_header('Accept' => 'application/xml');
+    $mech->credentials('localhost:80', 'musicbrainz.org', 'new_editor', 'password');
+
+    my $content = <<~'EOXML';
+        <?xml version="1.0" encoding="UTF-8"?>
+        <metadata xmlns="http://musicbrainz.org/ns/mmd-2.0#">
+            <recording-list>
+                <recording id="581556f0-755f-11de-8a39-0800200c9a66">
+                    <user-tag-list>
+                        <user-tag><name>TAG_NAME</name></user-tag>
+                    </user-tag-list>
+                </recording>
+            </recording-list>
+        </metadata>
+        EOXML
+
+    $mech->request(xml_post('/ws/2/tag?client=post.t-0.0.2', $content =~ s/TAG_NAME/have, a comma/r));
+    is($mech->status, HTTP_BAD_REQUEST, 'Bad request error since commas in legacy tags are disallowed');
+    is_xml_same($mech->content, $error_message);
+
+    $content = <<~'EOXML';
+        <?xml version="1.0" encoding="UTF-8"?>
+        <metadata xmlns="http://musicbrainz.org/ns/mmd-2.0#">
+            <recording-list>
+                <recording id="581556f0-755f-11de-8a39-0800200c9a66">
+                    <user-tag-list>
+                        <user-tag vote="upvote"><name>TAG_NAME</name></user-tag>
+                    </user-tag-list>
+                </recording>
+            </recording-list>
+        </metadata>
+        EOXML
+
+    $mech->request(xml_post('/ws/2/tag?client=post.t-0.0.2', $content =~ s/TAG_NAME/have, a comma/r));
+    is($mech->status, HTTP_BAD_REQUEST, 'Bad request error since commas in upvote tags are disallowed');
+    is_xml_same($mech->content, $error_message);
+
+    $content = <<~'EOXML';
+        <?xml version="1.0" encoding="UTF-8"?>
+        <metadata xmlns="http://musicbrainz.org/ns/mmd-2.0#">
+            <recording-list>
+                <recording id="581556f0-755f-11de-8a39-0800200c9a66">
+                    <user-tag-list>
+                        <user-tag vote="withdraw"><name>TAG_NAME</name></user-tag>
+                    </user-tag-list>
+                </recording>
+            </recording-list>
+        </metadata>
+        EOXML
+
+    $mech->request(xml_post('/ws/2/tag?client=post.t-0.0.2', $content =~ s/TAG_NAME/have, a comma/r));
+    is($mech->status, HTTP_OK, 'No error is returned since commas in withdraw tags are allowed');
+};
 1;

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,13 @@ sub tag_submit : Private`
`112`	`112`	`$self->_error($c, 'Unrecognized vote type: ' . $vote);`
`113`	`113`	`}`
`114`	`114`	`}`
	`115`	`+ # Block upvoting and downvoting tags with commas, which are not`
	`116`	`+ # properly supported by the UI. Still allow withdrawing tags`
	`117`	`+ # with commas to delete legacy tags.`
	`118`	`+ if ($name =~ /,/ && $vote ne 'withdraw') {`
	`119`	`+ $self->_error($c, 'The tag name cannot contain commas. To submit multiple tags, send multiple user-tag elements.');`
	`120`	`+ }`
	`121`	`+`
`115`	`122`	`push @{ $submit->{$name} //= [] }, [$model, $vote, $entity->id];`
`116`	`123`	`}`
`117`	`124`