From 0ea0b246fad902465b8ee4d6ef24291eb8f3eedc Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 15 Oct 2017 18:59:37 +0200
Subject: mod_pubsub: Limit number of items to fetch from archive storage to
 pubsub#max_items to prevent unbounded query (thanks Martin and lovetox)

---
 plugins/mod_pubsub/pubsub.lib.lua | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/plugins/mod_pubsub/pubsub.lib.lua b/plugins/mod_pubsub/pubsub.lib.lua
index 0394c41f..fd3e3768 100644
--- a/plugins/mod_pubsub/pubsub.lib.lua
+++ b/plugins/mod_pubsub/pubsub.lib.lua
@@ -2,6 +2,7 @@ local t_unpack = table.unpack or unpack; -- luacheck: ignore 113
 local time_now = os.time;
 
 local st = require "util.stanza";
+local ti = require "util.iterators";
 local uuid_generate = require "util.uuid".generate;
 local dataform = require"util.dataforms".new;
 
@@ -340,20 +341,23 @@ local function archive_itemstore(archive, config, user, node, expose_publisher)
 	module:log("debug", "Creation of itemstore for node %s with config %s", node, config);
 	local get_set = {};
 	function get_set:items() -- luacheck: ignore 212/self
-		local data, err = archive:find(user);
+		local data, err = archive:find(user, {
+			limit = tonumber(config["pubsub#max_items"]);
+			reverse = true;
+		});
 		if not data then
 			module:log("error", "Unable to get items: %s", err);
 			return true;
 		end
 		module:log("debug", "Listed items %s", data);
-		return function()
+		return it.reverse(function()
 			local id, payload, when, publisher = data();
 			if id == nil then
 				return;
 			end
 			local item = create_encapsulating_item(id, payload, publisher, expose_publisher);
 			return id, item;
-		end;
+		end);
 	end
 	function get_set:get(key) -- luacheck: ignore 212/self
 		local data, err = archive:find(user, {
-- 
cgit v1.2.3