From 3b7427bf66c74fbbd18e050adc0ab7a8ad5cbb55 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Tue, 28 May 2024 21:25:02 +0000 Subject: [PATCH] search: forbid getopt(3) switch injection in query Search queries may start with `-', confusing getopt(3) and Getopt::Long; so we use `--' to separate the query string from switches. Consequences of this bug were limited to a single broken HTTP response for the requesting client. It didn't didn't allow writes to on-disk Xapian DBs, but caused aborts on some searches or nonsensical results when using the optional external xap_helper processes. There was no risk of data leaks since the mset xap_helper endpoint only returns document IDs (unsigned integers), and not terms. The biggest danger from this bug was that it could run systems out of space if they are configured to write out core dumps. --- lib/PublicInbox/Search.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/PublicInbox/Search.pm b/lib/PublicInbox/Search.pm index 25ef49c5e..eb5e67ba5 100644 --- a/lib/PublicInbox/Search.pm +++ b/lib/PublicInbox/Search.pm @@ -480,7 +480,7 @@ sub async_mset { my ($self, $qry_str, $opt, $cb, @args) = @_; if ($XHC) { # unconditionally retrieving pct + rank for now xdb($self); # populate {nshards} - my @margs = ($self->xh_args, xh_opt($self, $opt)); + my @margs = ($self->xh_args, xh_opt($self, $opt), '--'); my $ret = eval { my $rd = $XHC->mkreq(undef, 'mset', @margs, $qry_str); PublicInbox::XhcMset->maybe_new($rd, $self, $cb, @args); -- 2.47.2