Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F5529398
T144845-REL1_23.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Feb 7 2017, 10:33 AM
2017-02-07 10:33:09 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T144845-REL1_23.patch
View Options
From b8da051307fa9760bbf8bdbd8edbac6b1b42889a Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 26 Sep 2016 10:40:30 +0000
Subject: [PATCH] SECURITY: XSS in search if $wgAdvancedSearchHighlighting =
true;
In the non-default configuration where $wgAdvancedSearchHighlighting
is set to true, there is an XSS vulnerability as HTML tags are
not properly escaped if the tag spans multiple search results
Issue introduced in abf726ea0 (MediaWiki 1.13 and above).
Bug: T144845
Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
---
includes/search/SearchHighlighter.php | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php
index 4c8aea5..5bfdca1 100644
--- a/includes/search/SearchHighlighter.php
+++ b/includes/search/SearchHighlighter.php
@@ -29,6 +29,10 @@
class SearchHighlighter {
var $mCleanWikitext = true;
+ /**
+ * @warning If you pass false to this constructor, then
+ * the caller is responsible for HTML escaping.
+ */
function __construct( $cleanupWikitext = true ) {
$this->mCleanWikitext = $cleanupWikitext;
}
@@ -451,6 +455,11 @@ class SearchHighlighter {
$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
$text = preg_replace( "/''/", "", $text );
+ // Note, the previous /<\/?[^>]+>/ is insufficient
+ // for XSS safety as the HTML tag can span multiple
+ // search results (T144845).
+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
+
wfProfileOut( $fname );
return $text;
}
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4344709
Default Alt Text
T144845-REL1_23.patch (1 KB)
Attached To
Mode
T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release
Attached
Detach File
T144845: XSS in SearchHighlighter::highlightText() [requires non-default config]
Attached
Detach File
Event Timeline
Log In to Comment