jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/346859 )
Change subject: SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;
......................................................................
SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;
In the non-default configuration where $wgAdvancedSearchHighlighting
is set to true, there is an XSS vulnerability as HTML tags are
not properly escaped if the tag spans multiple search results
Issue introduced in abf726ea0 (MediaWiki 1.13 and above).
Bug: T144845
Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
---
M RELEASE-NOTES-1.28
M includes/search/SearchHighlighter.php
2 files changed, 10 insertions(+), 0 deletions(-)
Approvals:
Chad: Looks good to me, approved
jenkins-bot: Verified
diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index 3cdaebf..0913a74 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -18,6 +18,8 @@
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28
installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
redirect
to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+ $wgAdvancedSearchHighlighting is true.
== MediaWiki 1.28 ==
diff --git a/includes/search/SearchHighlighter.php
b/includes/search/SearchHighlighter.php
index dd41a6e..79c401d 100644
--- a/includes/search/SearchHighlighter.php
+++ b/includes/search/SearchHighlighter.php
@@ -29,6 +29,10 @@
class SearchHighlighter {
protected $mCleanWikitext = true;
+ /**
+ * @warning If you pass false to this constructor, then
+ * the caller is responsible for HTML escaping.
+ */
function __construct( $cleanupWikitext = true ) {
$this->mCleanWikitext = $cleanupWikitext;
}
@@ -456,6 +460,10 @@
$text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text );
$text = preg_replace( "/''/", "", $text );
+ // Note, the previous /<\/?[^>]+>/ is insufficient
+ // for XSS safety as the HTML tag can span multiple
+ // search results (T144845).
+ $text = Sanitizer::escapeHtmlAllowEntities( $text );
return $text;
}
--
To view, visit https://gerrit.wikimedia.org/r/346859
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_28
Gerrit-Owner: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: DCausse <dcau...@wikimedia.org>
Gerrit-Reviewer: Smalyshev <smalys...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
