With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight
---
web/lib/aurjson.class.php| 22 +-
web/lib/config.inc.php.proto | 4
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index fbdc711..949c34f 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -117,6 +117,7 @@ class AurJSON {
}
private function process_query($type, $where_condition) {
+global $MAX_RPC_RESULTS;
$fields = implode(',', self::$fields);
$query = "SELECT Users.Username as Maintainer, {$fields} " .
"FROM Packages LEFT JOIN Users " .
@@ -149,6 +150,10 @@ class AurJSON {
}
}
+ if ($resultcount === $MAX_RPC_RESULTS) {
+ return $this->json_error('Too many package results.');
+ }
+
return $this->json_results($type, $resultcount, $search_data);
}
else {
@@ -191,6 +196,7 @@ class AurJSON {
* @return mixed Returns an array of package matches.
**/
private function search($keyword_string) {
+global $MAX_RPC_RESULTS;
if (strlen($keyword_string) < 2) {
return $this->json_error('Query arg too small');
}
@@ -198,7 +204,8 @@ class AurJSON {
$keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string,
'%_') . "%");
$where_condition = "(Name LIKE {$keyword_string} OR ";
-$where_condition.= "Description LIKE {$keyword_string})";
+$where_condition.= "Description LIKE {$keyword_string}) ";
+$where_condition.= "LIMIT {$MAX_RPC_RESULTS}";
return $this->process_query('search', $where_condition);
}
@@ -227,6 +234,7 @@ class AurJSON {
* @return mixed Returns an array of results containing the package data
**/
private function multiinfo($pqdata) {
+global $MAX_RPC_RESULTS;
$args = $this->parse_multiinfo_args($pqdata);
$ids = $args['ids'];
$names = $args['names'];
@@ -238,17 +246,19 @@ class AurJSON {
$where_condition = "";
if ($ids) {
$ids_value = implode(',', $args['ids']);
-$where_condition .= "ID IN ({$ids_value})";
+$where_condition .= "ID IN ({$ids_value}) ";
}
if ($ids && $names) {
-$where_condition .= " OR ";
+$where_condition .= "OR ";
}
if ($names) {
// individual names were quoted in parse_multiinfo_args()
$names_value = implode(',', $args['names']);
-$where_condition .= "Name IN ({$names_value})";
+$where_condition .= "Name IN ({$names_value}) ";
}
+$where_condition .= "LIMIT {$MAX_RPC_RESULTS}";
+
return $this->process_query('multiinfo', $where_condition);
}
@@ -258,9 +268,11 @@ class AurJSON {
* @return mixed Returns an array of value data containing the package data
**/
private function msearch($maintainer) {
+global $MAX_RPC_RESULTS;
$maintainer = $this->dbh->quote($maintainer);
-$where_condition = "Users.Username = {$maintainer}";
+$where_condition = "Users.Username = {$maintainer} ";
+$where_condition .= "LIMIT {$MAX_RPC_RESULTS}";
return $this->process_query('msearch', $where_condition);
}
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
index f132445..1fe7dbc 100644
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@@ -55,3 +55,7 @@ $AUR_LOCATION = "http://localhost";;
# Use virtual URLs -- to enable this feature, you also need to tell your web
# server to redirect all requests to "/index.php/$uri".
$USE_VIRTUAL_URLS = true;
+
+# Maximum number of package results to return through an RPC connection.
+# Avoid setting this too high and having a PHP too much memory error.
+$MAX_RPC_RESULTS = 5000;
--
1.7.12.4
