getleaderboard.aspx returns an unlimited number of entries

[cetteup]

The number of returned leaderboard entries is not limited at all. Allowing anyone to dump all players with e.g. score > 0 in a single request. Depending on the number of players in the database, this becomes a DoS vector.

asp/src/ASP/aspx/getleaderboard.php

Lines 82 to 90 in df86f71

	$after = (isset($_GET['after'])) ? (int)$_GET['after'] : 19;
	$before = (isset($_GET['before'])) ? (int)$_GET['before'] : 0;
	$pos = (isset($_GET['pos'])) ? (int)$_GET['pos'] : 1;
	$min = ($pos - 1) - $before;
	$max = $after + 1;
	// Negative correction
	if ($min < 0) $min = 0;
	if ($max < 0) $max = 0;

The game loads 20 entries per page by default, which seems like a sensible limit. So $max should simply be set the minimum of $min+min($after+1, 20).