From 028fd1ff640140881578b782efcbbbbd9d9da39e Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 26 Sep 2016 10:40:30 +0000 Subject: [PATCH 02/10] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true; In the non-default configuration where $wgAdvancedSearchHighlighting is set to true, there is an XSS vulnerability as HTML tags are not properly escaped if the tag spans multiple search results Issue introduced in abf726ea0 (MediaWiki 1.13 and above). Bug: T144845 Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3 --- RELEASE-NOTES-1.27 | 2 ++ includes/search/SearchHighlighter.php | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 3df89e0..3d4dfd3 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -25,6 +25,8 @@ was released. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. == MediaWiki 1.27.1 == diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php index 2bd1955..dfe2e32 100644 --- a/includes/search/SearchHighlighter.php +++ b/includes/search/SearchHighlighter.php @@ -29,6 +29,10 @@ class SearchHighlighter { protected $mCleanWikitext = true; + /** + * @warning If you pass false to this constructor, then + * the caller is responsible for HTML escaping. + */ function __construct( $cleanupWikitext = true ) { $this->mCleanWikitext = $cleanupWikitext; } @@ -456,6 +460,10 @@ class SearchHighlighter { $text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text ); $text = preg_replace( "/''/", "", $text ); + // Note, the previous /<\/?[^>]+>/ is insufficient + // for XSS safety as the HTML tag can span multiple + // search results (T144845). + $text = Sanitizer::escapeHtmlAllowEntities( $text ); return $text; } -- 2.9.3