[aur-dev] Wildcards in search queries
canyonknight at gmail.com
canyonknight at gmail.com
Thu Oct 4 17:24:44 EDT 2012
On Thu, Oct 4, 2012 at 1:59 PM, kachelaqa <kachelaqa at gmail.com> wrote:
> I just recently noticed that the wildcards have been disabled in aur-1.9.1 -
> which is a pity, since it has removed some fairly useful functionality.
>
> I found bug FS#26527 that prompted the change, and read through the links -
> but I couldn't completely understand the rationale for it.
>
> It looks like there may be a problem with search queries that consist of
> only '%' wildcards, as that could match everything in the database.
>
> But wouldn't it be fairly easy to eliminate pathological cases like that?
> And aren't there already checks in place to limit the number of results
> returned?
>
> For me, the most useful feature of wildcards is that they can be used to
> *reduce* the number of results returned - which is somewhat ironic, if I
> have interpreted the rationale for this change correctly ;-)
>
It's good practice to escape '%' and '_' wildcards. Without those
wildcards escaped it is more difficult for a user to search for those
characters literally. There is also a potential for a simple denial of
service attack if a malicious visitor created a search string using
wildcards that had the sole purpose of consuming server resources.
I apologize that the change created problems in your AUR helper, but I
don't think it is something that should be undone. It has been in
place for over 7 months now and many users didn't even know it was
previously possible. Any functionality that depended on it was
depending on a bug.
You may want to look at how some other AUR helpers implement AUR
searching if you would like ideas for your own AUR helper.
Regards,
Jason
More information about the aur-dev
mailing list