diff options
author | canyonknight <canyonknight@gmail.com> | 2012-10-21 15:53:16 -0400 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-10-22 12:33:13 +0200 |
commit | 43a69e7127c65f2651a61300d3e32bf6f89a2595 (patch) | |
tree | cb0869c747d12fa8418a536878d7b6aaf5eeb3f9 /web/lib | |
parent | 5222bf09320ebc1cd5da799970fcc0d2dd32bb3f (diff) | |
download | aurweb-43a69e7127c65f2651a61300d3e32bf6f89a2595.tar.xz |
aurjson.class.php: Limit number of RPC results
With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/aurjson.class.php | 22 | ||||
-rw-r--r-- | web/lib/config.inc.php.proto | 4 |
2 files changed, 21 insertions, 5 deletions
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index fbdc711..949c34f 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -117,6 +117,7 @@ class AurJSON { } private function process_query($type, $where_condition) { + global $MAX_RPC_RESULTS; $fields = implode(',', self::$fields); $query = "SELECT Users.Username as Maintainer, {$fields} " . "FROM Packages LEFT JOIN Users " . @@ -149,6 +150,10 @@ class AurJSON { } } + if ($resultcount === $MAX_RPC_RESULTS) { + return $this->json_error('Too many package results.'); + } + return $this->json_results($type, $resultcount, $search_data); } else { @@ -191,6 +196,7 @@ class AurJSON { * @return mixed Returns an array of package matches. **/ private function search($keyword_string) { + global $MAX_RPC_RESULTS; if (strlen($keyword_string) < 2) { return $this->json_error('Query arg too small'); } @@ -198,7 +204,8 @@ class AurJSON { $keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string, '%_') . "%"); $where_condition = "(Name LIKE {$keyword_string} OR "; - $where_condition.= "Description LIKE {$keyword_string})"; + $where_condition.= "Description LIKE {$keyword_string}) "; + $where_condition.= "LIMIT {$MAX_RPC_RESULTS}"; return $this->process_query('search', $where_condition); } @@ -227,6 +234,7 @@ class AurJSON { * @return mixed Returns an array of results containing the package data **/ private function multiinfo($pqdata) { + global $MAX_RPC_RESULTS; $args = $this->parse_multiinfo_args($pqdata); $ids = $args['ids']; $names = $args['names']; @@ -238,17 +246,19 @@ class AurJSON { $where_condition = ""; if ($ids) { $ids_value = implode(',', $args['ids']); - $where_condition .= "ID IN ({$ids_value})"; + $where_condition .= "ID IN ({$ids_value}) "; } if ($ids && $names) { - $where_condition .= " OR "; + $where_condition .= "OR "; } if ($names) { // individual names were quoted in parse_multiinfo_args() $names_value = implode(',', $args['names']); - $where_condition .= "Name IN ({$names_value})"; + $where_condition .= "Name IN ({$names_value}) "; } + $where_condition .= "LIMIT {$MAX_RPC_RESULTS}"; + return $this->process_query('multiinfo', $where_condition); } @@ -258,9 +268,11 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { + global $MAX_RPC_RESULTS; $maintainer = $this->dbh->quote($maintainer); - $where_condition = "Users.Username = {$maintainer}"; + $where_condition = "Users.Username = {$maintainer} "; + $where_condition .= "LIMIT {$MAX_RPC_RESULTS}"; return $this->process_query('msearch', $where_condition); } diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index f132445..1fe7dbc 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -55,3 +55,7 @@ $AUR_LOCATION = "http://localhost"; # Use virtual URLs -- to enable this feature, you also need to tell your web # server to redirect all requests to "/index.php/$uri". $USE_VIRTUAL_URLS = true; + +# Maximum number of package results to return through an RPC connection. +# Avoid setting this too high and having a PHP too much memory error. +$MAX_RPC_RESULTS = 5000; |