Page MenuHomePhabricator
Files F5529398

T144845-REL1_23.patch
No One
Actions

Authored By
Bawolff
Feb 7 2017, 10:33 AM
Size
1 KB
Referenced Files
None
Subscribers
None

T144845-REL1_23.patch
View Options

From b8da051307fa9760bbf8bdbd8edbac6b1b42889a Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 26 Sep 2016 10:40:30 +0000
Subject: [PATCH] SECURITY: XSS in search if $wgAdvancedSearchHighlighting =
true;
In the non-default configuration where $wgAdvancedSearchHighlighting
is set to true, there is an XSS vulnerability as HTML tags are
not properly escaped if the tag spans multiple search results
Issue introduced in abf726ea0 (MediaWiki 1.13 and above).
Bug: T144845
Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
---
includes/search/SearchHighlighter.php | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php
index 4c8aea5..5bfdca1 100644
--- a/includes/search/SearchHighlighter.php
+++ b/includes/search/SearchHighlighter.php
@@ -29,6 +29,10 @@
class SearchHighlighter {
var $mCleanWikitext = true;
+ /**
+ * @warning If you pass false to this constructor, then
+ * the caller is responsible for HTML escaping.
+ */
function __construct( $cleanupWikitext = true ) {
$this->mCleanWikitext = $cleanupWikitext;
}
@@ -451,6 +455,11 @@ class SearchHighlighter {
$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
$text = preg_replace( "/''/", "", $text );
+ // Note, the previous /<\/?[^>]+>/ is insufficient
+ // for XSS safety as the HTML tag can span multiple
+ // search results (T144845).
+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
+
wfProfileOut( $fname );
return $text;
}
--
1.9.5 (Apple Git-50.3)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4344709
Default Alt Text
T144845-REL1_23.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits