From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 4F66A1F462; Wed, 12 Jun 2019 17:18:28 +0000 (UTC) Date: Wed, 12 Jun 2019 17:18:28 +0000 From: Eric Wong To: Ali Alnubani Cc: meta@public-inbox.org Subject: Re: [RFC] searchview: don't be too verbose about bad queries Message-ID: <20190612171828.b6xvwol57hw3e4ri@dcvr> References: <20190611193815.c4uovtlp574bid6x@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: List-Id: Ali Alnubani wrote: > > -----Original Message----- > > From: Eric Wong > > Sent: Tuesday, June 11, 2019 10:38 PM > > To: meta@public-inbox.org > > Cc: Ali Alnubani > > Subject: [RFC] searchview: don't be too verbose about bad queries > > > > Ali sent this privately to me as a potential security issue. > > I am not a security expert and I certainly don't consider this a big enough > > problem to discuss privately... > > > > The potential issue is exposing path names of Xapian installs. > > > > I figure installation paths of open source software (particularly with FHS / LSB > > systems) is well-standardized to the point that it's pointless to obscure or > > obfuscate anyways. > They are standardized for system-wide installations. But having perl libs/modules/binaries > installed per user or on non-default paths could expose some private info, including usernames > for example, making those system users subject to some attacks. Fair point. Maybe a reverse-mapping of %INC can be used to translate the full path to the short path name (e.g. "Xapian/Enquire.pm") Something like the following (totally untested): # global my %rmap_inc = map { "$INC{$_}" => $_ } keys %INC; # in err_txt: $err =~ s!\b(\S+)\b! my $full = $1; if (-e $full) { my $short = $rmap_inc{$full}; unless (defined $short) { # rebuild rmap in case new modules were loaded %rmap_inc = map { "$INC{$_}" => $_ } keys %INC; } # fall back to basename as last resort $short = $rmap_inc{$full} // ((split('/', $full))[-1]; } else { $full; } !sge;