From d4c3e940903f207bb531d5112e710b052e8bc4e0 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 26 Sep 2016 10:40:30 +0000 Subject: [PATCH 02/10] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true; In the non-default configuration where $wgAdvancedSearchHighlighting is set to true, there is an XSS vulnerability as HTML tags are not properly escaped if the tag spans multiple search results Issue introduced in abf726ea0 (MediaWiki 1.13 and above). Bug: T144845 Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3 --- RELEASE-NOTES-1.28 | 2 ++ includes/search/SearchHighlighter.php | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28 index 95a010a..593685e 100644 --- a/RELEASE-NOTES-1.28 +++ b/RELEASE-NOTES-1.28 @@ -17,6 +17,8 @@ This is not a release yet! * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. == MediaWiki 1.28 == diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php index dd41a6e..79c401d 100644 --- a/includes/search/SearchHighlighter.php +++ b/includes/search/SearchHighlighter.php @@ -29,6 +29,10 @@ class SearchHighlighter { protected $mCleanWikitext = true; + /** + * @warning If you pass false to this constructor, then + * the caller is responsible for HTML escaping. + */ function __construct( $cleanupWikitext = true ) { $this->mCleanWikitext = $cleanupWikitext; } @@ -456,6 +460,10 @@ class SearchHighlighter { $text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text ); $text = preg_replace( "/''/", "", $text ); + // Note, the previous /<\/?[^>]+>/ is insufficient + // for XSS safety as the HTML tag can span multiple + // search results (T144845). + $text = Sanitizer::escapeHtmlAllowEntities( $text ); return $text; } -- 2.9.3