551396 – Gentoo Wiki search box not doing input sanitization on "-"

Bug 551396 - Gentoo Wiki search box not doing input sanitization on "-"

Summary: Gentoo Wiki search box not doing input sanitization on "-"

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Websites
Classification:	Unclassified
Component:	Wiki (show other bugs)
Hardware:	All All

Importance:	Normal minor (vote)
Assignee:	Gentoo Wiki Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-06 21:10 UTC by Addison Amiri
Modified:	2015-06-06 22:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Addison Amiri 2015-06-06 21:10:29 UTC

I couldn't find the right component as this is in the website instead of an actual part of Gentoo but I found this accidentally and I wanted to report it before anyone takes advantage of it.

If you type any "-" into the wiki.gentoo.org search box a database error gets returned. If there is sanitization going on I think a better error page would be the simplest course of action but I didn't want to break anything by finding out if that was the case. Ideally users should be able to search for something with a "-" in it so I think it should be fixed either way.

Comment 1 Alex Legler (RETIRED) archtester

2015-06-06 22:13:57 UTC

My observations: 
 - Searching for strings containing a - works as intended.
 - /^-+/ is a 'problem'.
 - The resulting queries are properly escaped, the '-' is simply not expected there in the mysql fulltext query.

This might be fixed in a recent mediawiki version and an update of our site might fix it. Otherwise, I don't see a need for more investigation and/or fixing.

Thanks for your report and concern.