user/dev discussion of public-inbox itself
 help / color / Atom feed
From: Eric Wong <e@80x24.org>
To: Ali Alnubani <alialnu@mellanox.com>
Cc: meta@public-inbox.org
Subject: Re: [RFC] searchview: don't be too verbose about bad queries
Date: Wed, 12 Jun 2019 17:18:28 +0000
Message-ID: <20190612171828.b6xvwol57hw3e4ri@dcvr> (raw)
In-Reply-To: <AM4PR0501MB2161859AE4E8D78E74CB2585D7EC0@AM4PR0501MB2161.eurprd05.prod.outlook.com>

Ali Alnubani <alialnu@mellanox.com> wrote:
> > -----Original Message-----
> > From: Eric Wong <e@80x24.org>
> > Sent: Tuesday, June 11, 2019 10:38 PM
> > To: meta@public-inbox.org
> > Cc: Ali Alnubani <alialnu@mellanox.com>
> > Subject: [RFC] searchview: don't be too verbose about bad queries
> > 
> > Ali sent this privately to me as a potential security issue.
> > I am not a security expert and I certainly don't consider this a big enough
> > problem to discuss privately...
> > 
> > The potential issue is exposing path names of Xapian installs.
> > 
> > I figure installation paths of open source software (particularly with FHS / LSB
> > systems) is well-standardized to the point that it's pointless to obscure or
> > obfuscate anyways.
> They are standardized for system-wide installations. But having perl libs/modules/binaries
> installed per user or on non-default paths could expose some private info, including usernames
> for example, making those system users subject to some attacks.

Fair point.

Maybe a reverse-mapping of %INC can be used to translate the
full path to the short path name (e.g. "Xapian/Enquire.pm")

Something like the following (totally untested):

	# global
	my %rmap_inc = map { "$INC{$_}" => $_ } keys %INC;

	# in err_txt:
	$err =~ s!\b(\S+)\b!
		my $full = $1;
		if (-e $full) {
			my $short = $rmap_inc{$full};
			unless (defined $short) {
				# rebuild rmap in case new modules were loaded
				%rmap_inc = map { "$INC{$_}" => $_ } keys %INC;
			}

			# fall back to basename as last resort
			$short = $rmap_inc{$full} // ((split('/', $full))[-1];
		} else {
			$full;
		}
	!sge;

      reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11 19:38 Eric Wong
2019-06-12  8:36 ` Ali Alnubani
2019-06-12 17:18   ` Eric Wong [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190612171828.b6xvwol57hw3e4ri@dcvr \
    --to=e@80x24.org \
    --cc=alialnu@mellanox.com \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

user/dev discussion of public-inbox itself

Archives are clonable:
	git clone --mirror http://public-inbox.org/meta
	git clone --mirror http://czquwvybam4bgbro.onion/meta
	git clone --mirror http://hjrcffqmbrq6wope.onion/meta
	git clone --mirror http://ou63pmih66umazou.onion/meta

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta
	nntp://ou63pmih66umazou.onion/inbox.comp.mail.public-inbox.meta
	nntp://czquwvybam4bgbro.onion/inbox.comp.mail.public-inbox.meta
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.mail.public-inbox.meta
	nntp://news.gmane.org/gmane.mail.public-inbox.general

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox