[aur-dev] Wildcards in search queries

canyonknight at gmail.com canyonknight at gmail.com
Thu Oct 4 17:24:44 EDT 2012

On Thu, Oct 4, 2012 at 1:59 PM, kachelaqa <kachelaqa at gmail.com> wrote:
> I just recently noticed that the wildcards have been disabled in aur-1.9.1 -
> which is a pity, since it has removed some fairly useful functionality.
> I found bug FS#26527 that prompted the change, and read through the links -
> but I couldn't completely understand the rationale for it.
> It looks like there may be a problem with search queries that consist of
> only '%' wildcards, as that could match everything in the database.
> But wouldn't it be fairly easy to eliminate pathological cases like that?
> And aren't there already checks in place to limit the number of results
> returned?
> For me, the most useful feature of wildcards is that they can be used to
> *reduce* the number of results returned - which is somewhat ironic, if I
> have interpreted the rationale for this change correctly ;-)

It's good practice to escape '%' and '_' wildcards. Without those
wildcards escaped it is more difficult for a user to search for those
characters literally. There is also a potential for a simple denial of
service attack if a malicious visitor created a search string using
wildcards that had the sole purpose of consuming server resources.

I apologize that the change created problems in your AUR helper, but I
don't think it is something that should be undone. It has been in
place for over 7 months now and many users didn't even know it was
previously possible. Any functionality that depended on it was
depending on a bug.

You may want to look at how some other AUR helpers implement AUR
searching if you would like ideas for your own AUR helper.



More information about the aur-dev mailing list