You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just noticed that if someone messes with the querystring and adjusts the per_page parameter to set it to zero, they can trigger a 500 exception, presumably when the per_page is used as a divisor when computing paging parameters and links. This occurs in Blacklight 4 and occurred in production on the Revs Digital Library site (not sure if we have a bad link or the user messed with the parameter).
The text was updated successfully, but these errors were encountered:
Just noticed that if someone messes with the querystring and adjusts the per_page parameter to set it to zero, they can trigger a 500 exception, presumably when the per_page is used a divisor when computing paging parameters and links. This occurs in Blacklight 4.
—
Reply to this email directly or view it on GitHub.
As long as there isn't some security issue (like a DoS attack) that is possible by a random user knowing how to easily trigger 500s, its not really an issue. If I were to recommend changing something, it would be to simply set it back to the default value (e.g. 10) if the user passes a 0. This results in no errors being generated (with the downside that if your code mistakenly set it to 0, you would not necessarily be able to figure that out).
Just noticed that if someone messes with the querystring and adjusts the per_page parameter to set it to zero, they can trigger a 500 exception, presumably when the per_page is used as a divisor when computing paging parameters and links. This occurs in Blacklight 4 and occurred in production on the Revs Digital Library site (not sure if we have a bad link or the user messed with the parameter).
The text was updated successfully, but these errors were encountered: