[PATCH 11/11] nmweb: handle non-numeric timestamp inputs

David Bremner david at tethera.net
Sat Mar 17 05:57:18 PDT 2018


Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> Without this check, it's trivial to crash the nmweb daemon with a
> ValueError by putting a non-numeric value in befores or afters.

I don't really understand what's going on here enough to comment on this
patch. Perhaps Brian can confirm. I notice currently the web page is
generating URL's like

           https://nmbug.notmuchmail.org/btsmail/search/crash+date%3A%401516161600..%401520910000000

and those in turn are causing internal server errors (at least on the
instance on nmbug.

> ---
>  contrib/notmuch-web/nmweb.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/contrib/notmuch-web/nmweb.py b/contrib/notmuch-web/nmweb.py
> index eaeeb507..21276b66 100755
> --- a/contrib/notmuch-web/nmweb.py
> +++ b/contrib/notmuch-web/nmweb.py
> @@ -65,9 +65,12 @@ class search:
>        befores = web.input(befores=None).befores
>      else:
>        befores = '4294967296' # 2^32
> -    if int(afters) > 0 or int(befores) < 4294967296:
> -      redir = True
> -      terms += ' %s..%s' % (afters, befores)
> +    try:
> +      if int(afters) > 0 or int(befores) < 4294967296:
> +        redir = True
> +        terms += ' %s..%s' % (afters, befores)
> +    except ValueError:
> +      pass
>      if redir:
>        raise web.seeother('/search/%s' % quote_plus(terms))
>      web.header('Content-type', 'text/html')
> -- 
> 2.15.1
>
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20180317/2991183b/attachment.sig>


More information about the notmuch mailing list