Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 551396

Summary: Gentoo Wiki search box not doing input sanitization on "-"
Product: Websites Reporter: Addison Amiri <addisonamiri>
Component: WikiAssignee: Gentoo Wiki Team <wiki>
Status: RESOLVED UPSTREAM    
Severity: minor CC: addisonamiri
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Addison Amiri 2015-06-06 21:10:29 UTC 
I couldn't find the right component as this is in the website instead of an actual part of Gentoo but I found this accidentally and I wanted to report it before anyone takes advantage of it.

If you type any "-" into the wiki.gentoo.org search box a database error gets returned. If there is sanitization going on I think a better error page would be the simplest course of action but I didn't want to break anything by finding out if that was the case. Ideally users should be able to search for something with a "-" in it so I think it should be fixed either way.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2015-06-06 22:13:57 UTC 
My observations: 
 - Searching for strings containing a - works as intended.
 - /^-+/ is a 'problem'.
 - The resulting queries are properly escaped, the '-' is simply not expected there in the mysql fulltext query.

This might be fixed in a recent mediawiki version and an update of our site might fix it. Otherwise, I don't see a need for more investigation and/or fixing.

Thanks for your report and concern.