[PATCH 11/11] nmweb: handle non-numeric timestamp inputs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Feb 4 20:19:59 PST 2018
Without this check, it's trivial to crash the nmweb daemon with a
ValueError by putting a non-numeric value in befores or afters.
---
contrib/notmuch-web/nmweb.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/contrib/notmuch-web/nmweb.py b/contrib/notmuch-web/nmweb.py
index eaeeb507..21276b66 100755
--- a/contrib/notmuch-web/nmweb.py
+++ b/contrib/notmuch-web/nmweb.py
@@ -65,9 +65,12 @@ class search:
befores = web.input(befores=None).befores
else:
befores = '4294967296' # 2^32
- if int(afters) > 0 or int(befores) < 4294967296:
- redir = True
- terms += ' %s..%s' % (afters, befores)
+ try:
+ if int(afters) > 0 or int(befores) < 4294967296:
+ redir = True
+ terms += ' %s..%s' % (afters, befores)
+ except ValueError:
+ pass
if redir:
raise web.seeother('/search/%s' % quote_plus(terms))
web.header('Content-type', 'text/html')
--
2.15.1
More information about the notmuch
mailing list