user/dev discussion of public-inbox itself
 help / color / Atom feed
* [RFC] searchview: don't be too verbose about bad queries
@ 2019-06-11 19:38 Eric Wong
  2019-06-12  8:36 ` Ali Alnubani
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Wong @ 2019-06-11 19:38 UTC (permalink / raw)
  To: meta; +Cc: Ali Alnubani

Ali sent this privately to me as a potential security issue.
I am not a security expert and I certainly don't consider this
a big enough problem to discuss privately...

The potential issue is exposing path names of Xapian installs.

I figure installation paths of open source software
(particularly with FHS / LSB systems) is well-standardized to
the point that it's pointless to obscure or obfuscate anyways.

*shrug*

---------8<-----------
From: Ali Alnubani <alialnu@mellanox.com>
Date: Tue, 11 Jun 2019 10:03:17 +0000
Subject: [PATCH] searchview: don't be too verbose about bad queries

This is to omit the message "something terrible happened at .."
from the http view when searching, since it contains absolute system paths.
This is debug information and shouldn't be displayed to the user.
---
 lib/PublicInbox/SearchView.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index b089de9..b7859df 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -15,6 +15,7 @@ use PublicInbox::MIME;
 require PublicInbox::Git;
 require PublicInbox::SearchThread;
 our $LIM = 200;
+our $ERR_TXT_VERBOSE=0;
 
 sub noop {}
 
@@ -136,8 +137,13 @@ sub err_txt {
 	my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
 	$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
 	$err = ascii_html($err);
-	"\nBad query: <b>$err</b>\n" .
-		qq{See <a\nhref="$u">$u</a> for help on using search};
+	my $to_print = "\nBad query";
+	if ($ERR_TXT_VERBOSE) {
+		$to_print .= ": <b>$err</b>\n";
+	} else {
+		$to_print .= ", or search returned too many results.\n";
+	}
+	$to_print . qq{See <a\nhref="$u">$u</a> for help on using search};
 }
 
 sub search_nav_top {
-- 
EW

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [RFC] searchview: don't be too verbose about bad queries
  2019-06-11 19:38 [RFC] searchview: don't be too verbose about bad queries Eric Wong
@ 2019-06-12  8:36 ` Ali Alnubani
  2019-06-12 17:18   ` Eric Wong
  0 siblings, 1 reply; 3+ messages in thread
From: Ali Alnubani @ 2019-06-12  8:36 UTC (permalink / raw)
  To: Eric Wong, meta

> -----Original Message-----
> From: Eric Wong <e@80x24.org>
> Sent: Tuesday, June 11, 2019 10:38 PM
> To: meta@public-inbox.org
> Cc: Ali Alnubani <alialnu@mellanox.com>
> Subject: [RFC] searchview: don't be too verbose about bad queries
> 
> Ali sent this privately to me as a potential security issue.
> I am not a security expert and I certainly don't consider this a big enough
> problem to discuss privately...
> 
> The potential issue is exposing path names of Xapian installs.
> 
> I figure installation paths of open source software (particularly with FHS / LSB
> systems) is well-standardized to the point that it's pointless to obscure or
> obfuscate anyways.
They are standardized for system-wide installations. But having perl libs/modules/binaries
installed per user or on non-default paths could expose some private info, including usernames
for example, making those system users subject to some attacks.
> 
> *shrug*

Anyway, I also agree that it's not that critical.

Thanks,
Ali
> 
> ---------8<-----------
> From: Ali Alnubani <alialnu@mellanox.com>
> Date: Tue, 11 Jun 2019 10:03:17 +0000
> Subject: [PATCH] searchview: don't be too verbose about bad queries
> 
> This is to omit the message "something terrible happened at .."
> from the http view when searching, since it contains absolute system paths.
> This is debug information and shouldn't be displayed to the user.
> ---
>  lib/PublicInbox/SearchView.pm | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
> index b089de9..b7859df 100644
> --- a/lib/PublicInbox/SearchView.pm
> +++ b/lib/PublicInbox/SearchView.pm
> @@ -15,6 +15,7 @@ use PublicInbox::MIME;  require PublicInbox::Git;
> require PublicInbox::SearchThread;  our $LIM = 200;
> +our $ERR_TXT_VERBOSE=0;
> 
>  sub noop {}
> 
> @@ -136,8 +137,13 @@ sub err_txt {
>  	my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
>  	$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
>  	$err = ascii_html($err);
> -	"\nBad query: <b>$err</b>\n" .
> -		qq{See <a\nhref="$u">$u</a> for help on using search};
> +	my $to_print = "\nBad query";
> +	if ($ERR_TXT_VERBOSE) {
> +		$to_print .= ": <b>$err</b>\n";
> +	} else {
> +		$to_print .= ", or search returned too many results.\n";
> +	}
> +	$to_print . qq{See <a\nhref="$u">$u</a> for help on using search};
>  }
> 
>  sub search_nav_top {
> --
> EW

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RFC] searchview: don't be too verbose about bad queries
  2019-06-12  8:36 ` Ali Alnubani
@ 2019-06-12 17:18   ` Eric Wong
  0 siblings, 0 replies; 3+ messages in thread
From: Eric Wong @ 2019-06-12 17:18 UTC (permalink / raw)
  To: Ali Alnubani; +Cc: meta

Ali Alnubani <alialnu@mellanox.com> wrote:
> > -----Original Message-----
> > From: Eric Wong <e@80x24.org>
> > Sent: Tuesday, June 11, 2019 10:38 PM
> > To: meta@public-inbox.org
> > Cc: Ali Alnubani <alialnu@mellanox.com>
> > Subject: [RFC] searchview: don't be too verbose about bad queries
> > 
> > Ali sent this privately to me as a potential security issue.
> > I am not a security expert and I certainly don't consider this a big enough
> > problem to discuss privately...
> > 
> > The potential issue is exposing path names of Xapian installs.
> > 
> > I figure installation paths of open source software (particularly with FHS / LSB
> > systems) is well-standardized to the point that it's pointless to obscure or
> > obfuscate anyways.
> They are standardized for system-wide installations. But having perl libs/modules/binaries
> installed per user or on non-default paths could expose some private info, including usernames
> for example, making those system users subject to some attacks.

Fair point.

Maybe a reverse-mapping of %INC can be used to translate the
full path to the short path name (e.g. "Xapian/Enquire.pm")

Something like the following (totally untested):

	# global
	my %rmap_inc = map { "$INC{$_}" => $_ } keys %INC;

	# in err_txt:
	$err =~ s!\b(\S+)\b!
		my $full = $1;
		if (-e $full) {
			my $short = $rmap_inc{$full};
			unless (defined $short) {
				# rebuild rmap in case new modules were loaded
				%rmap_inc = map { "$INC{$_}" => $_ } keys %INC;
			}

			# fall back to basename as last resort
			$short = $rmap_inc{$full} // ((split('/', $full))[-1];
		} else {
			$full;
		}
	!sge;

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-11 19:38 [RFC] searchview: don't be too verbose about bad queries Eric Wong
2019-06-12  8:36 ` Ali Alnubani
2019-06-12 17:18   ` Eric Wong

user/dev discussion of public-inbox itself

Archives are clonable:
	git clone --mirror https://public-inbox.org/meta
	git clone --mirror http://czquwvybam4bgbro.onion/meta
	git clone --mirror http://hjrcffqmbrq6wope.onion/meta
	git clone --mirror http://ou63pmih66umazou.onion/meta

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta
	nntp://ou63pmih66umazou.onion/inbox.comp.mail.public-inbox.meta
	nntp://czquwvybam4bgbro.onion/inbox.comp.mail.public-inbox.meta
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.mail.public-inbox.meta
	nntp://news.gmane.org/gmane.mail.public-inbox.general

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox