Last modified: 2008-03-19 00:35:37 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 9403 - Special:Search accepts and reprints queries containing newlines, arbitrary wikitext, and other garbage
Special:Search accepts and reprints queries containing newlines, arbitrary wi...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Search (Other open bugs)
unspecified
All All
: Normal minor (vote)
: ---
Assigned To: Nobody - You can work on this!
http://en.wikipedia.org/w/index.php?t...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-23 20:49 UTC by GNUtoo
Modified: 2008-03-19 00:35 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description GNUtoo 2007-03-23 20:49:40 UTC
the search function should not allow such thing:
http://en.wikipedia.org/w/index.php?title=Special%3ASearch&a
mp;search=pastebin+list%0D%0A+*+framework-3.0-beta-3-svn.tar
.gz+RMD160+%3B-%29+...%0D%0A+*+framework-3.0-beta-3-svn.tar.
gz+SHA1+%3B-%29+...%0D%0A+*+framework-3.0-beta-3-svn.tar.gz+
SHA256+%3B-%29+...%0D%0A+*+framework-3.0-beta-3-svn.tar.gz+s
ize+%3B-%29+...%0D%0A+*+checking+ebuild+checksums+%3B-%29+..
.%0D%0A+*+checking+auxfile+checksums+%3B-%29+...%0D%0A+*+che
cking+miscfile+checksums+%3B-%29+...%0D%0A+*+checking+framew
ork-3.0-beta-3-svn.tar.gz+%3B-%29+...%0D%0A%3E%3E%3E+Unpacki
ng+source...%0D%0A%3E%3E%3E+Unpacking+framework-3.0-beta-3-s
vn.tar.gz+to+%2Fvar%2Ftmp%2Fportage%2Fnet-analyzer%2Fmetaspl
oit-3.0_beta3%2Fwork%0D%0A%3E%3E%3E+Source+unpacked.%0D%0A%3
E%3E%3E+Compiling+source+in+%2Fvar%2Ftmp%2Fportage%2Fnet-ana
lyzer%2Fmetasploit-3.0_beta3%2Fwork%2Fframework-3.0-beta-3+.
..%0D%0A+*+Applying+metasploit-gentoo.patch+...%0D%0A%0D%0A+
*+Failed+Patch%3A+metasploit-gentoo.patch+%21%0D%0A+*++%28+%
2Fusr%2Foverlay%2Fnet-analyzer%2Fmetasploit%2Ffiles%2Fmetasp
loit-gentoo.patch+%29%0D%0A+*%0D%0A+*+Include+in+your+bugrep
ort+the+contents+of%3A%0D%0A+*%0D%0A+*++%0D%0A%2Fvar%2Ftmp%2
Fportage%2Fnet-analyzer%2Fmetasploit-3.0_beta3%2Ftemp%2Fmeta
sploit-gentoo.patch-24652.out%0D%0A%0D%0A%0D%0A%21%21%21+ERR
OR%3A+net-analyzer%2Fmetasploit-3.0_beta3+failed.%0D%0ACall+
stack%3A%0D%0A++ebuild.sh%2C+line+1614%3A+++Called+dyn_compi
le%0D%0A++ebuild.sh%2C+line+971%3A+++Called+qa_call+%27src_c
ompile%27%0D%0A++environment%2C+line+2971%3A+++Called+src_co
mpile%0D%0A++metasploit-3.0_beta3.ebuild%2C+line+37%3A+++Cal
led+epatch%0D%0A%27%2Fusr%2Foverlay%2Fnet-analyzer%2Fmetaspl
oit%2Ffiles%2Fmetasploit-gentoo.patch%27%0D%0A++eutils.eclas
s%2C+line+341%3A+++Called+die%0D%0A%0D%0A%21%21%21+Failed+Pa
tch%3A+metasploit-gentoo.patch%21%0D%0A%21%21%21+If+you+need
+support%2C+post+the+topmost+build+error%2C+and+the+call+sta
ck+if%0D%0Arelevant.%0D%0A%21%21%21+A+complete+build+log+is+
located+at%0D%0A%27%2Fvar%2Ftmp%2Fportage%2Fnet-analyzer%2Fm
etasploit-3.0_beta3%2Ftemp%2Fbuild.log%27.%0D%0A%0D%0Apasteb
in&fulltext=Search
Comment 1 GNUtoo 2007-03-23 20:50:18 UTC
tinyurl version
http://tinyurl.com/2n75r4
Comment 2 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-03-23 21:01:09 UTC
Basically Special:Search doesn't filter on insane queries containing, e.g., newlines, and it 
seems to render it all as wikitext (try:

http://en.wikipedia.org/w/
index.php?title=Special%3ASearch&search=%0D%0A*+This+is+an+unordered+list%0D%0A*+Another+item

and look at the top of the page, "you searched for").  Some sanity checks would be good to 
add here.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-03-23 21:06:30 UTC
Alternative URL that could confuse silly people: <http://tinyurl.com/2exfw5>. Some quote marks 
around the search terms wouldn't hurt.  :P
Comment 4 Brion Vibber 2008-03-19 00:35:37 UTC
Now strips newlines in r32148.

(Note this is for internal search engine; old LuceneSearch probably still won't do it. We won't be using it in a couple days.)

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links