Re: [PATCH 11/11] nmweb: handle non-numeric timestamp inputs

Subject: Re: [PATCH 11/11] nmweb: handle non-numeric timestamp inputs

Date: Sat, 17 Mar 2018 09:57:18 -0300

To: Daniel Kahn Gillmor, Notmuch Mail

Cc:

From: David Bremner

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> Without this check, it's trivial to crash the nmweb daemon with a
> ValueError by putting a non-numeric value in befores or afters.

I don't really understand what's going on here enough to comment on this
patch. Perhaps Brian can confirm. I notice currently the web page is
generating URL's like

           https://nmbug.notmuchmail.org/btsmail/search/crash+date%3A%401516161600..%401520910000000

and those in turn are causing internal server errors (at least on the
instance on nmbug.

> ---
>  contrib/notmuch-web/nmweb.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/contrib/notmuch-web/nmweb.py b/contrib/notmuch-web/nmweb.py
> index eaeeb507..21276b66 100755
> --- a/contrib/notmuch-web/nmweb.py
> +++ b/contrib/notmuch-web/nmweb.py
> @@ -65,9 +65,12 @@ class search:
>        befores = web.input(befores=None).befores
>      else:
>        befores = '4294967296' # 2^32
> -    if int(afters) > 0 or int(befores) < 4294967296:
> -      redir = True
> -      terms += ' %s..%s' % (afters, befores)
> +    try:
> +      if int(afters) > 0 or int(befores) < 4294967296:
> +        redir = True
> +        terms += ' %s..%s' % (afters, befores)
> +    except ValueError:
> +      pass
>      if redir:
>        raise web.seeother('/search/%s' % quote_plus(terms))
>      web.header('Content-type', 'text/html')
> -- 
> 2.15.1
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: