Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Paginate's :page argument generates invalid queries given values larger than sql BIGINT #115

Closed
jonah-williams opened this Issue · 3 comments

2 participants

@jonah-williams

Given examples like @posts = Post.paginate_by_board_id @board.id, :page => params[:page], :order => 'updated_at DESC' which suggest that we should be able to pass user provided params to will_paginate I would expect will_paginate to validate the range of the provided arguments. As is a user can specify a page number greater than 9223372036854775807 which will generate an invalid SQL query. Instead I would expect will_paginate to raise InvalidPage or ArgumentError as it does when given negative or otherwise invalid arguments.

Fix available in #116

@mislav
Owner

Pulled in 4d92d1b

@mislav mislav closed this
@mislav mislav referenced this issue from a commit
@mislav refactor page number checking, add offset validation
Raise WP::InvalidPage exception on offset values larger than SQL's BIGINT

references #115
05fc834
@mislav
Owner

Thanks for raising this concern. I've pulled your contribution, but refactored it later to account for the fact it's not the page number we're concerned with, it's the calculated offset when performing the SQL query. So now only offset is checked for exceeding BIGINT.

Of course, the SQL limit is also a part of the query, but limit values should never come from outside of the app (or if they do, they should be sanitized). Therefore I don't check limit this way because I trust the developers.

@jonah-williams

Sounds good, thanks for completing the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.