about summary refs log tree commit homepage
path: root/script/public-inbox-index
diff options
context:
space:
mode:
authorEric Wong <e@yhbt.net>2020-04-20 22:55:37 +0000
committerEric Wong <e@yhbt.net>2020-04-21 20:13:47 +0000
commitfb8e7dbd1b711d25d1033c3f5f540ce47f6c0849 (patch)
tree9560834162cdb04fbc95d5bc0bac3669cd9eaea5 /script/public-inbox-index
parente700c37c0186915253d639462cfa403fd9fc964f (diff)
downloadpublic-inbox-fb8e7dbd1b711d25d1033c3f5f540ce47f6c0849.tar.gz
In normal mail paths, we can rely on MTAs being configured with
reasonable limits in the -watch and -mda mail injection paths.

However, the MTA is bypassed in a git-only delivery path, a BOFH
could inject a large message and DoS users attempting to mirror
a public-inbox.

This doesn't protect unindexed WWW interfaces from Email::MIME
memory explosions on v1 inboxes.  Probably nobody cares about
unindexed WWW interfaces anymore, especially now that Xapian is
optional for indexing.
Diffstat (limited to 'script/public-inbox-index')
-rwxr-xr-xscript/public-inbox-index15
1 files changed, 12 insertions, 3 deletions
diff --git a/script/public-inbox-index b/script/public-inbox-index
index 7def9964..2d0f0eca 100755
--- a/script/public-inbox-index
+++ b/script/public-inbox-index
@@ -14,8 +14,9 @@ PublicInbox::Admin::require_or_die('-index');
 use PublicInbox::Xapcmd;
 
 my $compact_opt;
-my $opt = { quiet => -1, compact => 0 };
-GetOptions($opt, qw(verbose|v+ reindex compact|c+ jobs|j=i prune indexlevel|L=s))
+my $opt = { quiet => -1, compact => 0, maxsize => undef };
+GetOptions($opt, qw(verbose|v+ reindex compact|c+ jobs|j=i prune
+                indexlevel|L=s maxsize|max-size=s))
         or die "bad command-line args\n$usage";
 die "--jobs must be positive\n" if defined $opt->{jobs} && $opt->{jobs} <= 0;
 
@@ -25,14 +26,22 @@ if ($opt->{compact}) {
         $compact_opt = { -coarse_lock => 1, compact => 1 };
 }
 
-my @ibxs = PublicInbox::Admin::resolve_inboxes(\@ARGV);
+my $cfg = PublicInbox::Config->new;
+my @ibxs = PublicInbox::Admin::resolve_inboxes(\@ARGV, undef, $cfg);
 PublicInbox::Admin::require_or_die('-index');
 unless (@ibxs) { print STDERR "Usage: $usage\n"; exit 1 }
 my $mods = {};
+my $max_size = $opt->{maxsize} // $cfg->{lc('publicInbox.indexMaxSize')};
+if (defined $max_size) {
+        PublicInbox::Admin::parse_unsigned(\$max_size) or
+                die "`publicInbox.indexMaxSize=$max_size' not parsed\n";
+}
+
 foreach my $ibx (@ibxs) {
         # XXX: users can shoot themselves in the foot, with opt->{indexlevel}
         $ibx->{indexlevel} //= $opt->{indexlevel} //
                         PublicInbox::Admin::detect_indexlevel($ibx);
+        $ibx->{index_max_size} = $max_size;
         PublicInbox::Admin::scan_ibx_modules($mods, $ibx);
 }