From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 678B51F462; Tue, 11 Jun 2019 19:38:15 +0000 (UTC) Date: Tue, 11 Jun 2019 19:38:15 +0000 From: Eric Wong To: meta@public-inbox.org Cc: Ali Alnubani Subject: [RFC] searchview: don't be too verbose about bad queries Message-ID: <20190611193815.c4uovtlp574bid6x@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline List-Id: Ali sent this privately to me as a potential security issue. I am not a security expert and I certainly don't consider this a big enough problem to discuss privately... The potential issue is exposing path names of Xapian installs. I figure installation paths of open source software (particularly with FHS / LSB systems) is well-standardized to the point that it's pointless to obscure or obfuscate anyways. *shrug* ---------8<----------- From: Ali Alnubani Date: Tue, 11 Jun 2019 10:03:17 +0000 Subject: [PATCH] searchview: don't be too verbose about bad queries This is to omit the message "something terrible happened at .." from the http view when searching, since it contains absolute system paths. This is debug information and shouldn't be displayed to the user. --- lib/PublicInbox/SearchView.pm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm index b089de9..b7859df 100644 --- a/lib/PublicInbox/SearchView.pm +++ b/lib/PublicInbox/SearchView.pm @@ -15,6 +15,7 @@ use PublicInbox::MIME; require PublicInbox::Git; require PublicInbox::SearchThread; our $LIM = 200; +our $ERR_TXT_VERBOSE=0; sub noop {} @@ -136,8 +137,13 @@ sub err_txt { my $u = $ctx->{-inbox}->base_url($ctx->{env}) . '_/text/help/'; $err =~ s/^\s*Exception:\s*//; # bad word to show users :P $err = ascii_html($err); - "\nBad query: $err\n" . - qq{See $u for help on using search}; + my $to_print = "\nBad query"; + if ($ERR_TXT_VERBOSE) { + $to_print .= ": $err\n"; + } else { + $to_print .= ", or search returned too many results.\n"; + } + $to_print . qq{See $u for help on using search}; } sub search_nav_top { -- EW