From 82bc926ebe1ceba78dffd330c6bac92732bb41e0 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Wed, 31 May 2023 22:10:01 +0000
Subject: www: more restrictive query string parsing

Only allow single-character query keys to prevent clients from
wasting memory in Perl's hash tables.  We'll also perform the
utf8::decode and tr/+/ / calls once on the whole query string at
once to reduce op calls.

This also avoids creating an empty hash in the common case
when the QUERY_STRING is empty and instead relies on
auto-vivification of Perl.
---
 lib/PublicInbox/ViewVCS.pm | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'lib/PublicInbox/ViewVCS.pm')

diff --git a/lib/PublicInbox/ViewVCS.pm b/lib/PublicInbox/ViewVCS.pm
index eb757089..5529ed5b 100644
--- a/lib/PublicInbox/ViewVCS.pm
+++ b/lib/PublicInbox/ViewVCS.pm
@@ -596,10 +596,9 @@ sub show_blob { # git->cat_async callback
 # GET /$INBOX/$GIT_OBJECT_ID/s/$FILENAME
 sub show ($$;$) {
 	my ($ctx, $oid_b, $fn) = @_;
-	my $qp = $ctx->{qp};
 	my $hints = $ctx->{hints} = {};
 	while (my ($from, $to) = each %QP_MAP) {
-		defined(my $v = $qp->{$from}) or next;
+		my $v = $ctx->{qp}->{$from} // next;
 		$hints->{$to} = $v if $v ne '';
 	}
 	$ctx->{fn} = $fn;
-- 
cgit v1.2.3-24-ge0c7