[aur-dev] Wildcards in search queries

kachelaqa kachelaqa at gmail.com
Thu Oct 4 21:07:08 EDT 2012

On 04/10/12 22:24, canyonknight at gmail.com wrote:
> It's good practice to escape '%' and '_' wildcards. Without those
> wildcards escaped it is more difficult for a user to search for those
> characters literally.

They can be escaped with '\', but it's true that the underscores can 
cause a problem if there is only one method of searching.

> There is also a potential for a simple denial of
> service attack if a malicious visitor created a search string using
> wildcards that had the sole purpose of consuming server resources.

But isn't is just search strings like '%%%' that are a problem (which 
could be easily to screened out)?

> I apologize that the change created problems in your AUR helper, but I
> don't think it is something that should be undone. It has been in
> place for over 7 months now and many users didn't even know it was
> previously possible. Any functionality that depended on it was
> depending on a bug.

No apology needed :)

You haven't really caused much of a problem - it's just a loss of some 
functionality that I was hoping could be avoided.

> You may want to look at how some other AUR helpers implement AUR
> searching if you would like ideas for your own AUR helper.

The main purpose of my program (which has been around for 18-months or 
so), is to integrate searching the user's local pacman databases with 
the AUR. The wildcards were handy, because I could translate them into a 
simple glob-style syntax that would work equally well in both contexts.

So I mainly wanted to confirm that there is no chance of wildcards being 
brought back before I removed the functionality from my own program.

Thanks for the feedback.

More information about the aur-dev mailing list