On Thu, Oct 4, 2012 at 1:59 PM, kachelaqa <[email protected]> wrote: > I just recently noticed that the wildcards have been disabled in aur-1.9.1 - > which is a pity, since it has removed some fairly useful functionality. > > I found bug FS#26527 that prompted the change, and read through the links - > but I couldn't completely understand the rationale for it. > > It looks like there may be a problem with search queries that consist of > only '%' wildcards, as that could match everything in the database. > > But wouldn't it be fairly easy to eliminate pathological cases like that? > And aren't there already checks in place to limit the number of results > returned? > > For me, the most useful feature of wildcards is that they can be used to > *reduce* the number of results returned - which is somewhat ironic, if I > have interpreted the rationale for this change correctly ;-) >
It's good practice to escape '%' and '_' wildcards. Without those wildcards escaped it is more difficult for a user to search for those characters literally. There is also a potential for a simple denial of service attack if a malicious visitor created a search string using wildcards that had the sole purpose of consuming server resources. I apologize that the change created problems in your AUR helper, but I don't think it is something that should be undone. It has been in place for over 7 months now and many users didn't even know it was previously possible. Any functionality that depended on it was depending on a bug. You may want to look at how some other AUR helpers implement AUR searching if you would like ideas for your own AUR helper. Regards, Jason
