r45425 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r45424‎ \| r45425 \| r45426 >
Date:	20:37, 5 January 2009
Author:	brion
Status:	resolved
Tags:
Comment:	* Fix XSS in Special:Search with extended engine features ("did you mean") Switched a couple of manually created '<a href>'s to use Linker functions, and put an htmlspecialchars() on the 'did you mean' snippet result which was spewing raw input-derived text into output (bad!)
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/specials/SpecialSearch.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/specials/SpecialSearch.php
—	—	@@ -113,9 +113,11 @@
114	114	* @param string $term
115	115	*/
116	116	public function showResults( $term ) {
117		~~- global $wgOut, $wgDisableTextSearch, $wgContLang;~~
	117	+ global $wgOut, $wgUser, $wgDisableTextSearch, $wgContLang;
118	118	wfProfileIn( __METHOD__ );
119	119
	120	+ $sk = $wgUser->getSkin();
	121	+
120	122	$this->searchEngine = SearchEngine::create();
121	123	$search =& $this->searchEngine;
122	124	$search->setLimitOffset( $this->limit, $this->offset );
—	—	@@ -166,8 +168,9 @@
167	169	array( 'search' => $textMatches->getSuggestionQuery(), 'fulltext' => wfMsg('search') ),
168	170	$this->powerSearchOptions()
169	171	);
170		~~- $suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.~~
171		~~- $textMatches->getSuggestionSnippet().'</a>';~~
	172	+ $suggestLink = $sk->makeKnownLinkObj( $st,
	173	+ htmlspecialchars( $textMatches->getSuggestionSnippet() ),
	174	+ $stParams );
172	175
173	176	$this->didYouMeanHtml = '<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>';
174	177	}
—	—	@@ -384,7 +387,7 @@
385	388	* @param array $terms terms to highlight
386	389	*/
387	390	protected function showHit( $result, $terms ) {
388		~~- global $wgContLang, $wgLang;~~
	391	+ global $wgContLang, $wgLang, $wgUser;
389	392	wfProfileIn( __METHOD__ );
390	393
391	394	if( $result->isBrokenTitle() ) {
—	—	@@ -392,6 +395,7 @@
393	396	return "<!-- Broken link in search result -->\n";
394	397	}
395	398
	399	+ $sk = $wgUser->getSkin();
396	400	$t = $result->getTitle();
397	401
398	402	$link = $this->sk->makeKnownLinkObj( $t, $result->getTitleSnippet($terms));
—	—	@@ -457,8 +461,8 @@
458	462	array('search' => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
459	463	'fulltext' => wfMsg('search') ));
460	464
461		~~- $related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'.~~
462		~~- wfMsg('search-relatedarticle').'</a>';~~
	465	+ $related = ' -- ' . $sk->makeKnownLinkObj( $st,
	466	+ wfMsg('search-relatedarticle'), $stParams );
463	467	}
464	468
465	469	// Include a thumbnail for media files...
—	—	@@ -942,8 +946,9 @@
943	947	'fulltext' => wfMsg('search')),
944	948	$this->powerSearchOptions());
945	949
946		~~- $suggestLink = '<a href="'.$st->escapeLocalURL($stParams).'">'.~~
947		~~- $textMatches->getSuggestionSnippet().'</a>';~~
	950	+ $suggestLink = $sk->makeKnownLinkObj( $st,
	951	+ htmlspecialchars( $textMatches->getSuggestionSnippet() ),
	952	+ $stParams );
948	953
949	954	$wgOut->addHTML('<div class="searchdidyoumean">'.wfMsg('search-suggest',$suggestLink).'</div>');
950	955	}
—	—	@@ -1233,8 +1238,8 @@
1234	1239	array('search' => wfMsgForContent('searchrelated').':'.$t->getPrefixedText(),
1235	1240	'fulltext' => wfMsg('search') ));
1236	1241
1237		~~- $related = ' -- <a href="'.$st->escapeLocalURL($stParams).'">'.~~
1238		~~- wfMsg('search-relatedarticle').'</a>';~~
	1242	+ $related = ' -- ' . $sk->makeKnownLinkObj( $st,
	1243	+ wfMsg('search-relatedarticle'), $stParams );
1239	1244	}
1240	1245
1241	1246	// Include a thumbnail for media files...
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -468,8 +468,8 @@
469	469	that STDIN can be used for page list
470	470	* Sanitizer::decodeCharReferences() now decodes the XHTML "'" character
471	471	entity (loosely related to bug 14365)
	472	+* Fix XSS in Special:Search with extended engine features ("did you mean")
472	473
473		-
474	474	=== API changes in 1.14 ===
475	475
476	476	* Registration time of users registered before the DB field was created is now

Follow-up revisions

Revision	Commit summary	Author	Date
r45427	Follow-up to r45425 -- bug was in MWSearch, not core. It's supposed to be HTM...	brion	20:46, 5 January 2009

Status & tagging log

03:29, 7 January 2009 Brion VIBBER (talk | contribs) changed the status of r45425 [removed: new added: resolved]