From 9c91ae2744ae6392afc5fe724265e6b560a436e7 Mon Sep 17 00:00:00 2001
From: Philipp Heckel <pheckel@datto.com>
Date: Sat, 23 Apr 2022 15:23:18 -0400
Subject: [PATCH] Make sure clear= values are checked

---
 server/util.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/util.go b/server/util.go
index c51b6798..34d706f8 100644
--- a/server/util.go
+++ b/server/util.go
@@ -126,6 +126,9 @@ func parseActionsFromSimple(s string) ([]*action, error) {
 					newAction.Label = value
 				case "clear":
 					lvalue := strings.ToLower(value)
+					if !util.InStringList([]string{"true", "yes", "1", "false", "no", "0"}, lvalue) {
+						return nil, wrapErrHTTP(errHTTPBadRequestActionsInvalid, "'clear=%s' not allowed", value)
+					}
 					newAction.Clear = lvalue == "true" || lvalue == "yes" || lvalue == "1"
 				case "url":
 					newAction.URL = value