Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > Without this check, it's trivial to crash the nmweb daemon with a > ValueError by putting a non-numeric value in befores or afters.
I don't really understand what's going on here enough to comment on this patch. Perhaps Brian can confirm. I notice currently the web page is generating URL's like https://nmbug.notmuchmail.org/btsmail/search/crash+date%3A%401516161600..%401520910000000 and those in turn are causing internal server errors (at least on the instance on nmbug. > --- > contrib/notmuch-web/nmweb.py | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/contrib/notmuch-web/nmweb.py b/contrib/notmuch-web/nmweb.py > index eaeeb507..21276b66 100755 > --- a/contrib/notmuch-web/nmweb.py > +++ b/contrib/notmuch-web/nmweb.py > @@ -65,9 +65,12 @@ class search: > befores = web.input(befores=None).befores > else: > befores = '4294967296' # 2^32 > - if int(afters) > 0 or int(befores) < 4294967296: > - redir = True > - terms += ' %s..%s' % (afters, befores) > + try: > + if int(afters) > 0 or int(befores) < 4294967296: > + redir = True > + terms += ' %s..%s' % (afters, befores) > + except ValueError: > + pass > if redir: > raise web.seeother('/search/%s' % quote_plus(terms)) > web.header('Content-type', 'text/html') > -- > 2.15.1 > > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch
signature.asc
Description: PGP signature
_______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch