aurjson.class.php: Limit number of RPC results

With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.

Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.

Fixes FS#31849

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

web/lib/aurjson.class.php

@@ -117,6 +117,7 @@ class AurJSON {
     }
 
     private function process_query($type, $where_condition) {
+        global $MAX_RPC_RESULTS;
         $fields = implode(',', self::$fields);
         $query = "SELECT Users.Username as Maintainer, {$fields} " .
             "FROM Packages LEFT JOIN Users " .
@@ -149,6 +150,10 @@ class AurJSON {
                 }
             }
 
+           if ($resultcount === $MAX_RPC_RESULTS) {
+               return $this->json_error('Too many package results.');
+           }
+
             return $this->json_results($type, $resultcount, $search_data);
         }
         else {
@@ -191,6 +196,7 @@ class AurJSON {
      * @return mixed Returns an array of package matches.
      **/
     private function search($keyword_string) {
+        global $MAX_RPC_RESULTS;
         if (strlen($keyword_string) < 2) {
             return $this->json_error('Query arg too small');
         }
@@ -199,6 +205,7 @@ class AurJSON {
 
         $where_condition = "(Name LIKE {$keyword_string} OR ";
         $where_condition.= "Description LIKE {$keyword_string}) ";
+        $where_condition.= "LIMIT {$MAX_RPC_RESULTS}";
 
         return $this->process_query('search', $where_condition);
     }
@@ -227,6 +234,7 @@ class AurJSON {
      * @return mixed Returns an array of results containing the package data
      **/
     private function multiinfo($pqdata) {
+        global $MAX_RPC_RESULTS;
         $args = $this->parse_multiinfo_args($pqdata);
         $ids = $args['ids'];
         $names = $args['names'];
@@ -249,6 +257,8 @@ class AurJSON {
             $where_condition .= "Name IN ({$names_value}) ";
         }
 
+        $where_condition .= "LIMIT {$MAX_RPC_RESULTS}";
+
         return $this->process_query('multiinfo', $where_condition);
     }
 
@@ -258,9 +268,11 @@ class AurJSON {
      * @return mixed Returns an array of value data containing the package data
      **/
     private function msearch($maintainer) {
+        global $MAX_RPC_RESULTS;
         $maintainer = $this->dbh->quote($maintainer);
 
         $where_condition = "Users.Username = {$maintainer} ";
+        $where_condition .= "LIMIT {$MAX_RPC_RESULTS}";
 
         return $this->process_query('msearch', $where_condition);
     }

web/lib/config.inc.php.proto

@@ -55,3 +55,7 @@ $AUR_LOCATION = "http://localhost";
 # Use virtual URLs -- to enable this feature, you also need to tell your web
 # server to redirect all requests to "/index.php/$uri".
 $USE_VIRTUAL_URLS = true;
+
+# Maximum number of package results to return through an RPC connection.
+# Avoid setting this too high and having a PHP too much memory error.
+$MAX_RPC_RESULTS = 5000;