jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/346840 )
Change subject: SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true; ...................................................................... SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true; In the non-default configuration where $wgAdvancedSearchHighlighting is set to true, there is an XSS vulnerability as HTML tags are not properly escaped if the tag spans multiple search results Issue introduced in abf726ea0 (MediaWiki 1.13 and above). Bug: T144845 Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3 --- M RELEASE-NOTES-1.29 M includes/search/SearchHighlighter.php 2 files changed, 10 insertions(+), 0 deletions(-) Approvals: Chad: Looks good to me, approved jenkins-bot: Verified diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index 11f961e..a2dbcd5 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -88,6 +88,8 @@ * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, diff --git a/includes/search/SearchHighlighter.php b/includes/search/SearchHighlighter.php index d0e3a24..cebdb40 100644 --- a/includes/search/SearchHighlighter.php +++ b/includes/search/SearchHighlighter.php @@ -29,6 +29,10 @@ class SearchHighlighter { protected $mCleanWikitext = true; + /** + * @warning If you pass false to this constructor, then + * the caller is responsible for HTML escaping. + */ function __construct( $cleanupWikitext = true ) { $this->mCleanWikitext = $cleanupWikitext; } @@ -456,6 +460,10 @@ $text = preg_replace( "/('''|<\/?[iIuUbB]>)/", "", $text ); $text = preg_replace( "/''/", "", $text ); + // Note, the previous /<\/?[^>]+>/ is insufficient + // for XSS safety as the HTML tag can span multiple + // search results (T144845). + $text = Sanitizer::escapeHtmlAllowEntities( $text ); return $text; } -- To view, visit https://gerrit.wikimedia.org/r/346840 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2db7888d591b97f1a01bfd3b7567ce6f169874d3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> Gerrit-Reviewer: Chad <ch...@wikimedia.org> Gerrit-Reviewer: DCausse <dcau...@wikimedia.org> Gerrit-Reviewer: Smalyshev <smalys...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits