diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2015-05-22 13:29:59 +0200 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2015-05-22 17:09:25 +0200 |
commit | 0f48341ed67624f8bf113737eac0ba5b989133b3 (patch) | |
tree | d9ab7053035503f9b38b5e64ddec00f45a207dbc /web | |
parent | 20b838a90c5874c11cb68d3ca0bf7cc3bf3c0180 (diff) | |
download | aur-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.gz aur-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.xz |
Do not allow more than 20 terms in search queries
Specifying a huge number of search terms currently results in complex
SQL queries. In practice, queries with more than 20 terms are rarely
needed. Ignore everything apart from the first 20 keywords to prevent
from potential abuse.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web')
-rw-r--r-- | web/lib/pkgfuncs.inc.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 8fd629fe..11ca5915 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -601,10 +601,21 @@ function pkg_search_page($SID="") { } else { /* Search by name and description (default). */ + $count = 0; + foreach (str_getcsv($_GET['K'], ' ') as $term) { + if ($term == "") { + continue; + } + $term = "%" . addcslashes($term, '%_') . "%"; $q_where .= "AND (Packages.Name LIKE " . $dbh->quote($term) . " OR "; $q_where .= "Description LIKE " . $dbh->quote($term) . ") "; + + $count++; + if ($count >= 20) { + break; + } } } } |