From 613364b773c6352ae17aea3d2a74786fe0ca607d Mon Sep 17 00:00:00 2001
From: Morten Linderud <morten@linderud.pw>
Date: Fri, 4 Sep 2020 09:27:34 +0200
Subject: [PATCH] pkg_search_page: Limit number of results on package search

The current package search query is quite poorly optimized and becomes a
resource hog when the offsets gets large enough. This DoSes the service.

A quick fix is to just ensure we have some limit to the number of hits
we return. The current hardcoding of 2500 is based on the following:

    * 250 hits per page max
    * 10 pages

We can maybe consider having it lower, but it seems easier to just have
this a multiple of 250 in the first iteration.

Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/pkgfuncs.inc.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8c915711..80758005 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -619,7 +619,7 @@ function pkg_search_page($params, $show_headers=true, $SID="") {
 
 	/* Sanitize paging variables. */
 	if (isset($params['O'])) {
-		$params['O'] = max(intval($params['O']), 0);
+		$params['O'] = bound(intval($params['O']), 0, 2500);
 	} else {
 		$params['O'] = 0;
 	}
@@ -771,9 +771,8 @@ function pkg_search_page($params, $show_headers=true, $SID="") {
 	$result_t = $dbh->query($q_total);
 	if ($result_t) {
 		$row = $result_t->fetch(PDO::FETCH_NUM);
-		$total = $row[0];
-	}
-	else {
+		$total = min($row[0], 2500);
+	} else {
 		$total = 0;
 	}