From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id 678B51F462;
	Tue, 11 Jun 2019 19:38:15 +0000 (UTC)
Date: Tue, 11 Jun 2019 19:38:15 +0000
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Cc: Ali Alnubani <alialnu@mellanox.com>
Subject: [RFC] searchview: don't be too verbose about bad queries
Message-ID: <20190611193815.c4uovtlp574bid6x@dcvr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
List-Id: <meta.public-inbox.org>

Ali sent this privately to me as a potential security issue.
I am not a security expert and I certainly don't consider this
a big enough problem to discuss privately...

The potential issue is exposing path names of Xapian installs.

I figure installation paths of open source software
(particularly with FHS / LSB systems) is well-standardized to
the point that it's pointless to obscure or obfuscate anyways.

*shrug*

---------8<-----------
From: Ali Alnubani <alialnu@mellanox.com>
Date: Tue, 11 Jun 2019 10:03:17 +0000
Subject: [PATCH] searchview: don't be too verbose about bad queries

This is to omit the message "something terrible happened at .."
from the http view when searching, since it contains absolute system paths.
This is debug information and shouldn't be displayed to the user.
---
 lib/PublicInbox/SearchView.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index b089de9..b7859df 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -15,6 +15,7 @@ use PublicInbox::MIME;
 require PublicInbox::Git;
 require PublicInbox::SearchThread;
 our $LIM = 200;
+our $ERR_TXT_VERBOSE=0;
 
 sub noop {}
 
@@ -136,8 +137,13 @@ sub err_txt {
 	my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
 	$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
 	$err = ascii_html($err);
-	"\nBad query: <b>$err</b>\n" .
-		qq{See <a\nhref="$u">$u</a> for help on using search};
+	my $to_print = "\nBad query";
+	if ($ERR_TXT_VERBOSE) {
+		$to_print .= ": <b>$err</b>\n";
+	} else {
+		$to_print .= ", or search returned too many results.\n";
+	}
+	$to_print . qq{See <a\nhref="$u">$u</a> for help on using search};
 }
 
 sub search_nav_top {
-- 
EW