From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Cc: Ali Alnubani <alialnu@mellanox.com>
Subject: [RFC] searchview: don't be too verbose about bad queries
Date: Tue, 11 Jun 2019 19:38:15 +0000 [thread overview]
Message-ID: <20190611193815.c4uovtlp574bid6x@dcvr> (raw)
Ali sent this privately to me as a potential security issue.
I am not a security expert and I certainly don't consider this
a big enough problem to discuss privately...
The potential issue is exposing path names of Xapian installs.
I figure installation paths of open source software
(particularly with FHS / LSB systems) is well-standardized to
the point that it's pointless to obscure or obfuscate anyways.
*shrug*
---------8<-----------
From: Ali Alnubani <alialnu@mellanox.com>
Date: Tue, 11 Jun 2019 10:03:17 +0000
Subject: [PATCH] searchview: don't be too verbose about bad queries
This is to omit the message "something terrible happened at .."
from the http view when searching, since it contains absolute system paths.
This is debug information and shouldn't be displayed to the user.
---
lib/PublicInbox/SearchView.pm | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index b089de9..b7859df 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -15,6 +15,7 @@ use PublicInbox::MIME;
require PublicInbox::Git;
require PublicInbox::SearchThread;
our $LIM = 200;
+our $ERR_TXT_VERBOSE=0;
sub noop {}
@@ -136,8 +137,13 @@ sub err_txt {
my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
$err = ascii_html($err);
- "\nBad query: <b>$err</b>\n" .
- qq{See <a\nhref="$u">$u</a> for help on using search};
+ my $to_print = "\nBad query";
+ if ($ERR_TXT_VERBOSE) {
+ $to_print .= ": <b>$err</b>\n";
+ } else {
+ $to_print .= ", or search returned too many results.\n";
+ }
+ $to_print . qq{See <a\nhref="$u">$u</a> for help on using search};
}
sub search_nav_top {
--
EW
next reply other threads:[~2019-06-11 19:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-11 19:38 Eric Wong [this message]
2019-06-12 8:36 ` [RFC] searchview: don't be too verbose about bad queries Ali Alnubani
2019-06-12 17:18 ` Eric Wong
2019-06-25 6:37 ` [PATCH] searchview: avoid displaying full paths on errors Eric Wong
2019-06-25 7:33 ` Ali Alnubani
2019-06-26 6:35 ` Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190611193815.c4uovtlp574bid6x@dcvr \
--to=e@80x24.org \
--cc=alialnu@mellanox.com \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).