Specifying a huge number of search terms currently results in complex SQL queries. In practice, queries with more than 20 terms are rarely needed. Ignore everything apart from the first 20 keywords to prevent from potential abuse. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/lib/pkgfuncs.inc.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 8fd629f..11ca591 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -601,10 +601,21 @@ function pkg_search_page($SID="") { } else { /* Search by name and description (default). */ + $count = 0; + foreach (str_getcsv($_GET['K'], ' ') as $term) { + if ($term == "") { + continue; + } + $term = "%" . addcslashes($term, '%_') . "%"; $q_where .= "AND (Packages.Name LIKE " . $dbh->quote($term) . " OR "; $q_where .= "Description LIKE " . $dbh->quote($term) . ") "; + + $count++; + if ($count >= 20) { + break; + } } } } -- 2.4.1