From 3f8536d41eb85fb9e730f1c6eb19a6dced0e946b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Sat, 14 Jan 2023 13:57:35 +0100
Subject: [PATCH] search: raise 400 on queries without query (#73420)

---
 combo/apps/search/models.py | 3 +++
 tests/test_search.py        | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/combo/apps/search/models.py b/combo/apps/search/models.py
index 3652dee8..37e8f7af 100644
--- a/combo/apps/search/models.py
+++ b/combo/apps/search/models.py
@@ -202,6 +202,9 @@ class SearchCell(CellBase):
         if not cell.is_visible(request) or not cell.page.is_visible(request.user):
             raise PermissionDenied
 
+        if 'q' not in request.GET:
+            return HttpResponseBadRequest('missing query parameter')
+
         query = request.GET.get('q')
         if '\x00' in query:  # nul byte
             return HttpResponseBadRequest('invalid query string')
diff --git a/tests/test_search.py b/tests/test_search.py
index 38f7cf58..80847f56 100644
--- a/tests/test_search.py
+++ b/tests/test_search.py
@@ -433,6 +433,9 @@ def test_search_api(app):
     # search nul byte
     resp = app.get('/ajax/search/%s/_text/?q=baz\x00' % cell.id, status=400)
 
+    # search no parameter
+    resp = app.get('/ajax/search/%s/_text/' % cell.id, status=400)
+
 
 def test_search_on_root_page_api(settings, app):
     settings.KNOWN_SERVICES = {}