version 1.6.4: 400 on negative offset/limit

lib/apierrors/errors.go

@@ -33,7 +33,7 @@ var (
 	InvalidOffsetOrLimit = APIError{false, 400, "invalid offset or limit query paramters", false}
 
 	// OffsetTooLarge is a 400 bad request error.
-	OffsetTooLarge = APIError{false, 400, "offset is too big", false}
+	LimitTooLarge = APIError{false, 400, "limit is too big", false}
 
 	// NoObjectFound is a 404 not found error.
 	NoObjectFound = APIError{false, 404, "no object found", false}

lib/routes/listobjects.go

@@ -15,7 +15,7 @@ import (
 )
 
 // Maximum objects per page
-const maxOffset = 100
+const maxLimit = 100
 
 // listObjectsResponse is the response format for ListObjects.
 type listObjectsResponse struct {
@@ -45,17 +45,17 @@ func ListObjects(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	l := query.Get("limit")
 	limit, err := strconv.Atoi(l)
-	if err != nil {
+	if err != nil || limit < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
+	if limit > maxLimit {
+		panic(apierrors.LimitTooLarge)
+	}
 	o := query.Get("offset")
 	offset, err := strconv.Atoi(o)
-	if err != nil {
+	if err != nil || offset < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
-	if limit > maxOffset {
-		panic(apierrors.OffsetTooLarge)
-	}
 	asc := false
 	if query.Get("order") == "asc" {
 		asc = true

main.go

@@ -26,7 +26,7 @@ import (
 const (
 	configLocationUnix = "/etc/whats-this/api/config.toml"
 	shutdownTimeout    = 10 * time.Second
-	version            = "1.6.3"
+	version            = "1.6.4"
 )
 
 // printConfiguration iterates through a configuration map[string]interface{}