search: forbid getopt(3) switch injection in query

Search queries may start with `-', confusing getopt(3) and
Getopt::Long; so we use `--' to separate the query string
from switches.

Consequences of this bug were limited to a single broken HTTP
response for the requesting client.

It didn't didn't allow writes to on-disk Xapian DBs, but caused
aborts on some searches or nonsensical results when using the
optional external xap_helper processes.  There was no risk of
data leaks since the mset xap_helper endpoint only returns
document IDs (unsigned integers), and not terms.

The biggest danger from this bug was that it could run systems
out of space if they are configured to write out core dumps.

diff --git a/lib/PublicInbox/Search.pm b/lib/PublicInbox/Search.pm
index 25ef49c5ee2aef58293a523bcccf4758b26e7a0f..eb5e67ba5bf12afe8d5df0bc646364eaf7c9b3ad 100644 (file)
--- a/lib/PublicInbox/Search.pm
+++ b/lib/PublicInbox/Search.pm
@@ -480,7 +480,7 @@ sub async_mset {
        my ($self, $qry_str, $opt, $cb, @args) = @_;
        if ($XHC) { # unconditionally retrieving pct + rank for now
                xdb($self); # populate {nshards}
-               my @margs = ($self->xh_args, xh_opt($self, $opt));
+               my @margs = ($self->xh_args, xh_opt($self, $opt), '--');
                my $ret = eval {
                        my $rd = $XHC->mkreq(undef, 'mset', @margs, $qry_str);
                        PublicInbox::XhcMset->maybe_new($rd, $self, $cb, @args);