From b5948f2e715d25ff1221f139a232c8904dd6df6b Mon Sep 17 00:00:00 2001
From: Thomas Boerger <thomas@webhippie.de>
Date: Sun, 27 Mar 2016 23:26:45 +0200
Subject: [PATCH] Made the issues query more secure and simpler

---
 models/issue.go | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/models/issue.go b/models/issue.go
index 5727e07b11..f70fd1247b 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -547,27 +547,16 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
 	}
 
 	labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
-	if len(labelIDs) > 0 {
-		validJoin := false
-		queryStr := "issue.id=issue_label.issue_id"
-		for _, id := range labelIDs {
-			if id == 0 {
-				continue
-			}
-			validJoin = true
-			queryStr += " AND issue_label.label_id=" + com.ToStr(id)
-		}
-		if validJoin {
-			sess.Join("INNER", "issue_label", queryStr)
-		}
+	if len(labelIDs) > 1 {
+		sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
 	}
 
 	if opts.IsMention {
-		queryStr := "issue.id=issue_user.issue_id AND issue_user.is_mentioned=1"
+		sess.Join("INNER", "issue_user", "issue.id = issue_user.issue_id AND issue_user.is_mentioned = 1")
+
 		if opts.UserID > 0 {
-			queryStr += " AND issue_user.uid=" + com.ToStr(opts.UserID)
+			sess.Where("issue_user.uid = ?", opts.UserID)
 		}
-		sess.Join("INNER", "issue_user", queryStr)
 	}
 
 	issues := make([]*Issue, 0, setting.IssuePagingNum)