If you manually set per_page = 0 in the querystring, you get a divide by zero exception

[peetucket]

Just noticed that if someone messes with the querystring and adjusts the per_page parameter to set it to zero, they can trigger a 500 exception, presumably when the per_page is used as a divisor when computing paging parameters and links. This occurs in Blacklight 4 and occurred in production on the Revs Digital Library site (not sure if we have a bad link or the user messed with the parameter).

[MrDys]

This sounds like expected behavior to me.

Sent from my iPhone

On May 14, 2014, at 5:46 PM, Peter Mangiafico notifications@github.com wrote:

Just noticed that if someone messes with the querystring and adjusts the per_page parameter to set it to zero, they can trigger a 500 exception, presumably when the per_page is used a divisor when computing paging parameters and links. This occurs in Blacklight 4.

—
Reply to this email directly or view it on GitHub.

[cbeer]

If we did some input validation, I'm not sure what what we'd do differently. Throw a 400 Bad Request instead, I suppose.

[peetucket]

As long as there isn't some security issue (like a DoS attack) that is possible by a random user knowing how to easily trigger 500s, its not really an issue. If I were to recommend changing something, it would be to simply set it back to the default value (e.g. 10) if the user passes a 0. This results in no errors being generated (with the downside that if your code mistakenly set it to 0, you would not necessarily be able to figure that out).