T144845-REL1_27.patch
No One
Actions

Authored By

	Bawolff
	Feb 3 2017, 8:47 AM

Size

1 KB

Referenced Files

None

Subscribers

None

T144845-REL1_27.patch
View Options

	From 33de94974921a86b653f287344f0d1e2e22b8543 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Mon, 26 Sep 2016 10:40:30 +0000
	Subject: [PATCH] SECURITY: XSS in search if $wgAdvancedSearchHighlighting =
	true;

	In the non-default configuration where $wgAdvancedSearchHighlighting
	is set to true, there is an XSS vulnerability as HTML tags are
	not properly escaped if the tag spans multiple search results

	Issue introduced in abf726ea0 (MediaWiki 1.13 and above).

	Bug: T144845
	Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
	---
	includes/search/SearchHighlighter.php \| 8 ++++++++
	1 file changed, 8 insertions(+)

	diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php
	index 2bd1955..dfe2e32 100644
	--- a/includes/search/SearchHighlighter.php
	+++ b/includes/search/SearchHighlighter.php
	@@ -29,6 +29,10 @@
	class SearchHighlighter {
	protected $mCleanWikitext = true;

	+ /**
	+ * @warning If you pass false to this constructor, then
	+ * the caller is responsible for HTML escaping.
	+ */
	function __construct( $cleanupWikitext = true ) {
	$this->mCleanWikitext = $cleanupWikitext;
	}
	@@ -456,6 +460,10 @@ class SearchHighlighter {
	$text = preg_replace( "/('''\|<\/?[iIuUbB]>)/", "", $text );
	$text = preg_replace( "/''/", "", $text );

	+ // Note, the previous /<\/?[^>]+>/ is insufficient
	+ // for XSS safety as the HTML tag can span multiple
	+ // search results (T144845).
	+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
	return $text;
	}

	--
	1.9.5 (Apple Git-50.3)

Attached To	Mode
T144845: XSS in SearchHighlighter::highlightText() [requires non-default config]	Attached	Detach File
T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release	Attached	Detach File