diff options
author | Eric Wong <e@80x24.org> | 2019-06-25 04:08:14 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2019-06-25 05:59:14 +0000 |
commit | c19a4e88f49ba3496751c4b87ebcfa0f6b47f0ce (patch) | |
tree | 260895fe1e65c834f69e6d32e233a65823186303 | |
parent | 2752bc2b24d1e2c96c18b5f18372fc25e0ffc1fa (diff) | |
download | public-inbox-c19a4e88f49ba3496751c4b87ebcfa0f6b47f0ce.tar.gz |
Displaying full path names of installed modules could expose unnecessary information about user home directory names or other potentially sensitive information. However, displaying a module name could still be useful for diagnosing problems, so map full paths to the relevant part of the path name which is relevant to the package name. Reported-by: Ali Alnubani <alialnu@mellanox.com> https://public-inbox.org/meta/20190611193815.c4uovtlp574bid6x@dcvr/
-rw-r--r-- | lib/PublicInbox/SearchView.pm | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm index 6f07279b..a8b66dda 100644 --- a/lib/PublicInbox/SearchView.pm +++ b/lib/PublicInbox/SearchView.pm @@ -15,6 +15,7 @@ use PublicInbox::MIME; require PublicInbox::Git; require PublicInbox::SearchThread; our $LIM = 200; +my %rmap_inc; sub noop {} @@ -138,10 +139,27 @@ sub mset_summary { *noop; } +# shorten "/full/path/to/Foo/Bar.pm" to "Foo/Bar.pm" so error +# messages don't reveal FS layout info in case people use non-standard +# installation paths +sub path2inc ($) { + my $full = $_[0]; + if (my $short = $rmap_inc{$full}) { + return $short; + } elsif (!scalar(keys %rmap_inc) && -e $full) { + %rmap_inc = map {; "$INC{$_}" => $_ } keys %INC; + # fall back to basename as last resort + $rmap_inc{$full} // (split('/', $full))[-1]; + } else { + $full; + } +} + sub err_txt { my ($ctx, $err) = @_; my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/'; $err =~ s/^\s*Exception:\s*//; # bad word to show users :P + $err =~ s!(\S+)!path2inc($1)!sge; $err = ascii_html($err); "\nBad query: <b>$err</b>\n" . qq{See <a\nhref="$u">$u</a> for help on using search}; |