Core: Search highlighting is prone to regular expression injection
Whatever you enter in the search field is being put unescaped into a regular expression to locally highlight matches. For example:
https://discuss.flarum.org/?q=test%20%5Bblah%5D%2B%20test
You can also easily crash the search by typing an invalid pattern:
tobyzerner
All 8 comments
It's very inappropriate to post security bugs on the issue tracker page. You should have mailed the development team instead.
DanielTheGeek
on 15 Jun 2018
@DanielTheGeek thanks for your concern, I'd like to kindly point out that:
- @tobscure is the project owner and belongs to the active core developer team.
- this bug is not affecting other users, it only affects yourself.
luceos
on 15 Jun 2018
Oh, okay... thanks for pointing that out.
DanielTheGeek
on 15 Jun 2018
lodash has a escapeRegExp method, we can use that or something like (suggested at https://stackoverflow.com/a/6969486):
function escapeRegExp(str) {
return str.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
}
which one do you think is better?
sijad
on 1 Jul 2018
@sijad lodash sounds good, just make sure Webpack tree shakes properly :)
tobyzerner
on 5 Jul 2018
I cannot reproduce this in the latest dev-master.
datitisev
on 12 Aug 2018
@datitisev it's not enough to just visit a search URL; you need to actually type a phrase into the search box for it to be parsed as a regular expression.
tobyzerner
on 12 Aug 2018
@tobscure Ah, the issue was that no discussions or posts matched the query. Now I can reproduce it.
Related to https://github.com/flarum/core/pull/1539, may want to escape regex in #1539 instead of the current solution.
datitisev
on 12 Aug 2018
Related issues
franzliedke
路
4Comments
webpigeon
路
3Comments
Ralkage
路
4Comments
datitisev
路
3Comments
jordanjay29
路
3Comments
Most helpful comment
@DanielTheGeek thanks for your concern, I'd like to kindly point out that: