Last modified: 2014-10-28 18:01:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 35043 - PostgreSQL: "syntax error in tsquery" when search term contains apostrophes
PostgreSQL: "syntax error in tsquery" when search term contains apostrophes
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
Search (Other open bugs)
1.20.x
PC All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 31006 (view as bug list)
Depends on:
Blocks: postgres
  Show dependency treegraph
 
Reported: 2012-03-07 22:50 UTC by Robert Hendriks
Modified: 2014-10-28 18:01 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Robert Hendriks 2012-03-07 22:50:11 UTC
I found a SQL injection in the search form.
If you enter a single quote into the form the postgreSQL server respond with the following error:

Warning: pg_query(): Query failed: ERROR: syntax error in tsquery: "'" in <FULLPATH>\DatabasePostgres.php on line 584 Sorry, that was not a valid search string. Please go back and try again

Wich means the server is vulrnable to an SQL injection.

Reproduce:
1. go to the main wiki page
2. Enter the single quote into the search form

Shortcut to the bug:

https://wiki.<WEBSITE-NAME>.org/en/Special:Search?search=%27&go=Go

Note that the %27 is the single quote character !

Originaly found at:
https://wiki.mageia.org/en/Special:Search?search=%27&go=Go
(Already told them about this)

Robert Hendriks
Comment 1 Mark A. Hershberger 2012-03-08 05:50:29 UTC
Could you test this against 1.18?
Comment 2 Marcin Cieślak 2012-03-08 20:15:18 UTC
Reproduced in trunk (r113364)
Comment 3 Marcin Cieślak 2012-03-08 21:53:53 UTC
*** Bug 31006 has been marked as a duplicate of this bug. ***
Comment 4 Marcin Cieślak 2012-03-08 23:17:49 UTC
I don't think it's an SQL injection problem. 

There is a problem with proper quoting of lexemes passed over to to_tsquery() function.

What we do in this case is:

trunk=> select to_tsquery('''');
ERROR:  syntax error in tsquery: "'"

Somebody ran into a similar problem here:

http://archives.postgresql.org/pgsql-sql/2008-08/msg00027.php
Comment 5 Tim Starling 2012-03-09 04:10:42 UTC
It's an arbitrary parameter to_tsquery(), not arbitrary SQL, and my reading of the relevant manual section:

http://www.postgresql.org/docs/8.4/interactive/datatype-textsearch.html

suggests that this is not exploitable. The operations which can be performed are very limited. So I'm changing the component, severity and summary.
Comment 6 Karun 2012-09-08 00:03:04 UTC
I have submitted a patch to check for ' to gerrit, to stop the database error appearing.
https://gerrit.wikimedia.org/r/#/c/23064/
Comment 7 Andre Klapper 2012-10-21 02:55:01 UTC
(In reply to comment #6)
> I have submitted a patch to check for ' to gerrit

Patch needs improvement according to review - Karun, would you have time?
Comment 8 Andre Klapper 2013-03-06 15:20:42 UTC
Patch needs improvement according to review - Karun, would you have time?
Comment 9 Gerrit Notification Bot 2014-10-28 18:01:12 UTC
Change 23064 had a related patch set uploaded by Tim Landscheidt:
Escape apostrophes in search terms for PostgreSQL

https://gerrit.wikimedia.org/r/23064

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links