user/dev discussion of public-inbox itself
 help / color / Atom feed
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Cc: Ali Alnubani <alialnu@mellanox.com>
Subject: [RFC] searchview: don't be too verbose about bad queries
Date: Tue, 11 Jun 2019 19:38:15 +0000
Message-ID: <20190611193815.c4uovtlp574bid6x@dcvr> (raw)

Ali sent this privately to me as a potential security issue.
I am not a security expert and I certainly don't consider this
a big enough problem to discuss privately...

The potential issue is exposing path names of Xapian installs.

I figure installation paths of open source software
(particularly with FHS / LSB systems) is well-standardized to
the point that it's pointless to obscure or obfuscate anyways.

*shrug*

---------8<-----------
From: Ali Alnubani <alialnu@mellanox.com>
Date: Tue, 11 Jun 2019 10:03:17 +0000
Subject: [PATCH] searchview: don't be too verbose about bad queries

This is to omit the message "something terrible happened at .."
from the http view when searching, since it contains absolute system paths.
This is debug information and shouldn't be displayed to the user.
---
 lib/PublicInbox/SearchView.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index b089de9..b7859df 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -15,6 +15,7 @@ use PublicInbox::MIME;
 require PublicInbox::Git;
 require PublicInbox::SearchThread;
 our $LIM = 200;
+our $ERR_TXT_VERBOSE=0;
 
 sub noop {}
 
@@ -136,8 +137,13 @@ sub err_txt {
 	my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
 	$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
 	$err = ascii_html($err);
-	"\nBad query: <b>$err</b>\n" .
-		qq{See <a\nhref="$u">$u</a> for help on using search};
+	my $to_print = "\nBad query";
+	if ($ERR_TXT_VERBOSE) {
+		$to_print .= ": <b>$err</b>\n";
+	} else {
+		$to_print .= ", or search returned too many results.\n";
+	}
+	$to_print . qq{See <a\nhref="$u">$u</a> for help on using search};
 }
 
 sub search_nav_top {
-- 
EW

             reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11 19:38 Eric Wong [this message]
2019-06-12  8:36 ` Ali Alnubani
2019-06-12 17:18   ` Eric Wong
2019-06-25  6:37     ` [PATCH] searchview: avoid displaying full paths on errors Eric Wong
2019-06-25  7:33       ` Ali Alnubani
2019-06-26  6:35         ` Eric Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190611193815.c4uovtlp574bid6x@dcvr \
    --to=e@80x24.org \
    --cc=alialnu@mellanox.com \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

user/dev discussion of public-inbox itself

Archives are clonable:
	git clone --mirror http://public-inbox.org/meta
	git clone --mirror http://czquwvybam4bgbro.onion/meta
	git clone --mirror http://hjrcffqmbrq6wope.onion/meta
	git clone --mirror http://ou63pmih66umazou.onion/meta

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta
	nntp://ou63pmih66umazou.onion/inbox.comp.mail.public-inbox.meta
	nntp://czquwvybam4bgbro.onion/inbox.comp.mail.public-inbox.meta
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.mail.public-inbox.meta
	nntp://news.gmane.io/gmane.mail.public-inbox.general

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git