Page MenuHomePhabricator
Create Task
Maniphest T37043

PostgreSQL: "syntax error in tsquery" when search term contains apostrophes
Open, MediumPublic
Actions

Description

Author: roberthend15

Description:
I found a SQL injection in the search form.
If you enter a single quote into the form the postgreSQL server respond with the following error:

Warning: pg_query(): Query failed: ERROR: syntax error in tsquery: "'" in <FULLPATH>\DatabasePostgres.php on line 584 Sorry, that was not a valid search string. Please go back and try again

Wich means the server is vulrnable to an SQL injection.

Reproduce:

  1. go to the main wiki page
  2. Enter the single quote into the search form

Shortcut to the bug:

https://wiki.<WEBSITE-NAME>.org/en/Special:Search?search=%27&go=Go

Note that the %27 is the single quote character !

Originaly found at:
https://wiki.mageia.org/en/Special:Search?search=%27&go=Go
(Already told them about this)

Robert Hendriks

Version: 1.20.x
Severity: normal
Platform: PC

Details

Reference
bz35043
SubjectRepoBranchLines +/-
Escape apostrophes in search terms for PostgreSQLmediawiki/coremaster+3 -4
Customize query in gerrit

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:17 AM
bzimport added a project: MediaWiki-Search.
bzimport set Reference to bz35043.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 7 2012, 10:50 PM
MarkAHershberger added a comment.Mar 8 2012, 5:50 AM

Could you test this against 1.18?

saper added a comment.Mar 8 2012, 8:15 PM

Reproduced in trunk (r113364)

saper added a comment.Mar 8 2012, 9:53 PM
  • Bug 31006 has been marked as a duplicate of this bug. ***
saper added a comment.Mar 8 2012, 11:17 PM

I don't think it's an SQL injection problem.

There is a problem with proper quoting of lexemes passed over to to_tsquery() function.

What we do in this case is:

trunk=> select to_tsquery('''');
ERROR: syntax error in tsquery: "'"

Somebody ran into a similar problem here:

http://archives.postgresql.org/pgsql-sql/2008-08/msg00027.php

tstarling added a comment.Mar 9 2012, 4:10 AM

It's an arbitrary parameter to_tsquery(), not arbitrary SQL, and my reading of the relevant manual section:

http://www.postgresql.org/docs/8.4/interactive/datatype-textsearch.html

suggests that this is not exploitable. The operations which can be performed are very limited. So I'm changing the component, severity and summary.

bzimport added a comment.Sep 8 2012, 12:03 AM

karun.84 wrote:

I have submitted a patch to check for ' to gerrit, to stop the database error appearing.
https://gerrit.wikimedia.org/r/#/c/23064/

Aklapper added a comment.Oct 21 2012, 2:55 AM

(In reply to comment #6)

I have submitted a patch to check for ' to gerrit

Patch needs improvement according to review - Karun, would you have time?

Aklapper added a comment.Mar 6 2013, 3:20 PM

Patch needs improvement according to review - Karun, would you have time?

gerritbot added a comment.Oct 28 2014, 6:01 PM

Change 23064 had a related patch set uploaded by Tim Landscheidt:
Escape apostrophes in search terms for PostgreSQL

https://gerrit.wikimedia.org/r/23064

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
Jdforrester-WMF added a project: PostgreSQL.Nov 2 2016, 8:16 PM
Jdforrester-WMF subscribed.

Migrating from the old tracking task to a tag for PostgreSQL-related tasks.

Restricted Application added projects: Discovery-ARCHIVED, Discovery-Search. · View Herald TranscriptNov 2 2016, 8:16 PM
MarkAHershberger unsubscribed.Nov 3 2016, 3:52 AM
Deskana removed projects: Discovery-Search, Discovery-ARCHIVED.Nov 3 2016, 10:12 PM
Deskana set Security to None.
Deskana subscribed.

Removing Discovery-ARCHIVED and Discovery-Search; our primary responsibility is to users of the Wikimedia sites, and we do not use Postgres there.

Deskana added a project: patch-welcome.Nov 3 2016, 10:12 PM
SamanthaNguyen moved this task from Backlog / Other to Patch pending review on the acl*security board.Jan 8 2017, 12:01 AM
gerritbot subscribed.Mar 1 2017, 9:42 PM

Change 23064 had a related patch set uploaded (by Tim Landscheidt):
[mediawiki/core] Escape apostrophes in search terms for PostgreSQL

https://gerrit.wikimedia.org/r/23064

scfc removed a project: acl*security.Mar 1 2017, 9:55 PM
scfc added a subscriber: tstarling.

(As @tstarling already assessed in T37043#399694, this is not exploitable.)

tstarling mentioned this in T164898: PostgreSQL schema change for consistency with MySQL.Jun 2 2017, 6:38 AM
Krinkle removed a parent task: T2384: [REPLACED BY TAG] PostgreSQL/pgsql support (tracking).Aug 14 2018, 3:09 AM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 23 2023, 12:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits