From 5ef37f4a13e2be711ef074dc2cd9994005273117 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Wed, 23 Jun 2021 07:14:22 -0400 Subject: www: do not warn on blank query parameters Sometimes users (or bots) may lead queries with '&' and trigger uninitialized variable warnings, just ignore them and give consumers a $ctx->{qp}->{''} entry. While we're in the area, pass a regexp rather than scalar string to the `split' perlop to prevent Perl from recompiling the regexp on every call. --- lib/PublicInbox/WWW.pm | 5 ++--- t/psgi_search.t | 4 ++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm index 8f4bfd0f..841a7e85 100644 --- a/lib/PublicInbox/WWW.pm +++ b/lib/PublicInbox/WWW.pm @@ -50,10 +50,9 @@ sub call { %{$ctx->{qp}} = map { utf8::decode($_); tr/+/ /; - my ($k, $v) = split('=', $_, 2); - $v = uri_unescape($v // ''); + my ($k, $v) = split(/=/, $_, 2); # none of the keys we care about will need escaping - $k => $v; + ($k // '', uri_unescape($v // '')) } split(/[&;]+/, $env->{QUERY_STRING}); my $path_info = path_info_raw($env); diff --git a/t/psgi_search.t b/t/psgi_search.t index d59e439b..5bdd66ed 100644 --- a/t/psgi_search.t +++ b/t/psgi_search.t @@ -88,6 +88,10 @@ test_psgi(sub { $www->call(@_) }, sub { is($res->code, 200, 'successful search result'); is_deeply([], $warn, 'no warnings from non-numeric comparison'); + $res = $cb->(GET('/test/?&q=s:test')); + is($res->code, 200, 'successful search result'); + is_deeply([], $warn, 'no warnings from black parameter'); + $res = $cb->(POST('/test/?q=s:bogus&x=m')); is($res->code, 404, 'failed search result gives 404'); is_deeply([], $warn, 'no warnings'); -- cgit v1.2.3-24-ge0c7