From bfd40753d3b0246e5c46cb2a29f341a6401f5107 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Wed, 18 Nov 2020 17:38:22 +0100
Subject: [PATCH] Enforce check that a mailinglist exists earlier during search

---
 pgweb/search/views.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pgweb/search/views.py b/pgweb/search/views.py
index 0cc379a9..e48ab606 100644
--- a/pgweb/search/views.py
+++ b/pgweb/search/views.py
@@ -1,5 +1,5 @@
 from django.shortcuts import render
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, Http404
 from django.views.decorators.csrf import csrf_exempt
 from django.conf import settings
 
@@ -63,7 +63,16 @@ def search(request):
         if request.GET.get('l', '') != '':
             try:
                 listid = int(request.GET['l'])
-            except Exception as e:
+                if listid >= 0:
+                    # Make sure the list exists
+                    if not MailingList.objects.filter(id=listid).exists():
+                        raise Http404()
+                else:
+                    # Negative means it's a group, so verify that it exists
+                    if not MailingList.objects.filter(group=-listid).exists():
+                        raise Http404()
+            except ValueError:
+                # If it's not an integer we just don't care
                 listid = None
         else:
             # Listid not specified. But do we have the name?
-- 
2.39.5