summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2015-05-22 13:29:59 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2015-05-22 17:09:25 +0200
commit0f48341ed67624f8bf113737eac0ba5b989133b3 (patch)
treed9ab7053035503f9b38b5e64ddec00f45a207dbc /web
parent20b838a90c5874c11cb68d3ca0bf7cc3bf3c0180 (diff)
downloadaur-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.gz
aur-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.xz
Do not allow more than 20 terms in search queries
Specifying a huge number of search terms currently results in complex SQL queries. In practice, queries with more than 20 terms are rarely needed. Ignore everything apart from the first 20 keywords to prevent from potential abuse. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web')
-rw-r--r--web/lib/pkgfuncs.inc.php11
1 files changed, 11 insertions, 0 deletions
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8fd629fe..11ca5915 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -601,10 +601,21 @@ function pkg_search_page($SID="") {
}
else {
/* Search by name and description (default). */
+ $count = 0;
+
foreach (str_getcsv($_GET['K'], ' ') as $term) {
+ if ($term == "") {
+ continue;
+ }
+
$term = "%" . addcslashes($term, '%_') . "%";
$q_where .= "AND (Packages.Name LIKE " . $dbh->quote($term) . " OR ";
$q_where .= "Description LIKE " . $dbh->quote($term) . ") ";
+
+ $count++;
+ if ($count >= 20) {
+ break;
+ }
}
}
}