[PATCH 11/11] nmweb: handle non-numeric timestamp inputs
David Bremner
david at tethera.net
Sat Mar 17 05:57:18 PDT 2018
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> Without this check, it's trivial to crash the nmweb daemon with a
> ValueError by putting a non-numeric value in befores or afters.
I don't really understand what's going on here enough to comment on this
patch. Perhaps Brian can confirm. I notice currently the web page is
generating URL's like
https://nmbug.notmuchmail.org/btsmail/search/crash+date%3A%401516161600..%401520910000000
and those in turn are causing internal server errors (at least on the
instance on nmbug.
> ---
> contrib/notmuch-web/nmweb.py | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/contrib/notmuch-web/nmweb.py b/contrib/notmuch-web/nmweb.py
> index eaeeb507..21276b66 100755
> --- a/contrib/notmuch-web/nmweb.py
> +++ b/contrib/notmuch-web/nmweb.py
> @@ -65,9 +65,12 @@ class search:
> befores = web.input(befores=None).befores
> else:
> befores = '4294967296' # 2^32
> - if int(afters) > 0 or int(befores) < 4294967296:
> - redir = True
> - terms += ' %s..%s' % (afters, befores)
> + try:
> + if int(afters) > 0 or int(befores) < 4294967296:
> + redir = True
> + terms += ' %s..%s' % (afters, befores)
> + except ValueError:
> + pass
> if redir:
> raise web.seeother('/search/%s' % quote_plus(terms))
> web.header('Content-type', 'text/html')
> --
> 2.15.1
>
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20180317/2991183b/attachment.sig>
More information about the notmuch
mailing list