* Re: [PATCH] searchview: avoid displaying full paths on errors
2019-06-25 7:33 14% ` Ali Alnubani
@ 2019-06-26 6:35 14% ` Eric Wong
0 siblings, 0 replies; 3+ results
From: Eric Wong @ 2019-06-26 6:35 UTC (permalink / raw)
To: Ali Alnubani; +Cc: meta
Ali Alnubani <alialnu@mellanox.com> wrote:
> Thanks for the patch Eric.
> I apologize for taking so long to update mine.
No worries. Pushed as c19a4e88f49ba3496751c4b87ebcfa0f6b47f0ce
> > sub err_txt {
> > my ($ctx, $err) = @_;
> > my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
> > $err =~ s/^\s*Exception:\s*//; # bad word to show users :P
> > + $err =~ s!(\S+)!path2inc($1)!sge;
One potential issue is this won't match paths if somebody has
spaces in their installation paths. But I suppose few
distros or users building their own Perl are that strange...
^ permalink raw reply [relevance 14%]
* RE: [PATCH] searchview: avoid displaying full paths on errors
2019-06-25 6:37 13% ` [PATCH] searchview: avoid displaying full paths on errors Eric Wong
@ 2019-06-25 7:33 14% ` Ali Alnubani
2019-06-26 6:35 14% ` Eric Wong
0 siblings, 1 reply; 3+ results
From: Ali Alnubani @ 2019-06-25 7:33 UTC (permalink / raw)
To: Eric Wong; +Cc: meta@public-inbox.org
Thanks for the patch Eric.
I apologize for taking so long to update mine.
> -----Original Message-----
> From: Eric Wong <e@80x24.org>
> Sent: Tuesday, June 25, 2019 9:37 AM
> To: Ali Alnubani <alialnu@mellanox.com>
> Cc: meta@public-inbox.org
> Subject: [PATCH] searchview: avoid displaying full paths on errors
>
> Displaying full path names of installed modules could expose unnecessary
> information about user home directory names or other potentially sensitive
> information. However, displaying a module name could still be useful for
> diagnosing problems, so map full paths to the relevant part of the path name
> which is relevant to the package name.
>
> Reported-by: Ali Alnubani <alialnu@mellanox.com>
>
<removed>
> ---
> lib/PublicInbox/SearchView.pm | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
> index 6f07279b..a8b66dda 100644
> --- a/lib/PublicInbox/SearchView.pm
> +++ b/lib/PublicInbox/SearchView.pm
> @@ -15,6 +15,7 @@ use PublicInbox::MIME; require PublicInbox::Git;
> require PublicInbox::SearchThread; our $LIM = 200;
> +my %rmap_inc;
>
> sub noop {}
>
> @@ -138,10 +139,27 @@ sub mset_summary {
> *noop;
> }
>
> +# shorten "/full/path/to/Foo/Bar.pm" to "Foo/Bar.pm" so error #
> +messages don't reveal FS layout info in case people use non-standard #
> +installation paths sub path2inc ($) {
> + my $full = $_[0];
> + if (my $short = $rmap_inc{$full}) {
> + return $short;
> + } elsif (!scalar(keys %rmap_inc) && -e $full) {
> + %rmap_inc = map {; "$INC{$_}" => $_ } keys %INC;
> + # fall back to basename as last resort
> + $rmap_inc{$full} // (split('/', $full))[-1];
> + } else {
> + $full;
> + }
> +}
> +
> sub err_txt {
> my ($ctx, $err) = @_;
> my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
> $err =~ s/^\s*Exception:\s*//; # bad word to show users :P
> + $err =~ s!(\S+)!path2inc($1)!sge;
> $err = ascii_html($err);
> "\nBad query: <b>$err</b>\n" .
> qq{See <a\nhref="$u">$u</a> for help on using search};
> --
> EW
Thanks,
Ali
^ permalink raw reply [relevance 14%]
* [PATCH] searchview: avoid displaying full paths on errors
@ 2019-06-25 6:37 13% ` Eric Wong
2019-06-25 7:33 14% ` Ali Alnubani
0 siblings, 1 reply; 3+ results
From: Eric Wong @ 2019-06-25 6:37 UTC (permalink / raw)
To: Ali Alnubani; +Cc: meta
Displaying full path names of installed modules could expose
unnecessary information about user home directory names or other
potentially sensitive information. However, displaying a module
name could still be useful for diagnosing problems, so map full
paths to the relevant part of the path name which is relevant to
the package name.
Reported-by: Ali Alnubani <alialnu@mellanox.com>
https://public-inbox.org/meta/20190611193815.c4uovtlp574bid6x@dcvr/
---
lib/PublicInbox/SearchView.pm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index 6f07279b..a8b66dda 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -15,6 +15,7 @@ use PublicInbox::MIME;
require PublicInbox::Git;
require PublicInbox::SearchThread;
our $LIM = 200;
+my %rmap_inc;
sub noop {}
@@ -138,10 +139,27 @@ sub mset_summary {
*noop;
}
+# shorten "/full/path/to/Foo/Bar.pm" to "Foo/Bar.pm" so error
+# messages don't reveal FS layout info in case people use non-standard
+# installation paths
+sub path2inc ($) {
+ my $full = $_[0];
+ if (my $short = $rmap_inc{$full}) {
+ return $short;
+ } elsif (!scalar(keys %rmap_inc) && -e $full) {
+ %rmap_inc = map {; "$INC{$_}" => $_ } keys %INC;
+ # fall back to basename as last resort
+ $rmap_inc{$full} // (split('/', $full))[-1];
+ } else {
+ $full;
+ }
+}
+
sub err_txt {
my ($ctx, $err) = @_;
my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/';
$err =~ s/^\s*Exception:\s*//; # bad word to show users :P
+ $err =~ s!(\S+)!path2inc($1)!sge;
$err = ascii_html($err);
"\nBad query: <b>$err</b>\n" .
qq{See <a\nhref="$u">$u</a> for help on using search};
--
EW
^ permalink raw reply related [relevance 13%]
Results 1-3 of 3 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2019-06-11 19:38 [RFC] searchview: don't be too verbose about bad queries Eric Wong
2019-06-12 8:36 ` Ali Alnubani
2019-06-12 17:18 ` Eric Wong
2019-06-25 6:37 13% ` [PATCH] searchview: avoid displaying full paths on errors Eric Wong
2019-06-25 7:33 14% ` Ali Alnubani
2019-06-26 6:35 14% ` Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).