From 898d73a22f44686ea46e4d3ee76d6ad5becfef2c Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 26 Sep 2016 10:40:30 +0000 Subject: [PATCH 2/8] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true; In the non-default configuration where $wgAdvancedSearchHighlighting is set to true, there is an XSS vulnerability as HTML tags are not properly escaped if the tag spans multiple search results Issue introduced in abf726ea0 (MediaWiki 1.13 and above). Bug: T144845 Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3 --- RELEASE-NOTES-1.23 | 2 ++ includes/search/SearchHighlighter.php | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23 index 05a71e3..a38e95b 100644 --- a/RELEASE-NOTES-1.23 +++ b/RELEASE-NOTES-1.23 @@ -10,6 +10,8 @@ This is not a release yet! * (T156184) $wgRawHtml will no longer apply to internationalization messages. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. == MediaWiki 1.23.15 == diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php index 4c8aea5..5bfdca1 100644 --- a/includes/search/SearchHighlighter.php +++ b/includes/search/SearchHighlighter.php @@ -29,6 +29,10 @@ class SearchHighlighter { var $mCleanWikitext = true; + /** + * @warning If you pass false to this constructor, then + * the caller is responsible for HTML escaping. + */ function __construct( $cleanupWikitext = true ) { $this->mCleanWikitext = $cleanupWikitext; } @@ -451,6 +455,11 @@ class SearchHighlighter { $text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text ); $text = preg_replace( "/''/", "", $text ); + // Note, the previous /<\/?[^>]+>/ is insufficient + // for XSS safety as the HTML tag can span multiple + // search results (T144845). + $text = Sanitizer::escapeHtmlAllowEntities( $text ); + wfProfileOut( $fname ); return $text; } -- 2.9.3