From 0f48341ed67624f8bf113737eac0ba5b989133b3 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <lfleischer@archlinux.org>
Date: Fri, 22 May 2015 13:29:59 +0200
Subject: Do not allow more than 20 terms in search queries

Specifying a huge number of search terms currently results in complex
SQL queries. In practice, queries with more than 20 terms are rarely
needed. Ignore everything apart from the first 20 keywords to prevent
from potential abuse.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/pkgfuncs.inc.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'web/lib')

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8fd629f..11ca591 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -601,10 +601,21 @@ function pkg_search_page($SID="") {
 		}
 		else {
 			/* Search by name and description (default). */
+			$count = 0;
+
 			foreach (str_getcsv($_GET['K'], ' ') as $term) {
+				if ($term == "") {
+					continue;
+				}
+
 				$term = "%" . addcslashes($term, '%_') . "%";
 				$q_where .= "AND (Packages.Name LIKE " . $dbh->quote($term) . " OR ";
 				$q_where .= "Description LIKE " . $dbh->quote($term) . ") ";
+
+				$count++;
+				if ($count >= 20) {
+					break;
+				}
 			}
 		}
 	}
-- 
cgit v1.2.3-54-g00ecf