sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code

Bugfix: Fully correct search context generation. Fixes #30. 

Also, fixed a critical security issue in the search context generation which would allow an editor to inject code into the user's browser.
This commit is contained in:
Starbeamrainbowlabs 2016-08-19 13:02:42 +01:00
parent c5017919a1
commit b8dd51d1a1
3 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
build/index.php
View File

@ -2209,8 +2209,10 @@ register_module([
{
$link = "?page=" . rawurlencode($result["pagename"]);
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
//echo("Extracting context for result " . $result["pagename"] . ".\n");
$context = search::extract_context($_GET["query"], $pagesource);
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
$context = search::highlight_context($_GET["query"], $context);
/*if(strlen($context) == 0)
{
@ -2564,6 +2566,8 @@ class search
return ($a[1] > $b[1]) ? +1 : -1;
});
$sourceLength = strlen($source);
$contexts = [];
$basepos = 0;
$matches_count = count($matches);
@ -2596,6 +2600,9 @@ class search
$context_start = $group[0][1] - $settings->search_characters_context;
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
if($context_start < 0) $context_start = 0;
if($context_end > $sourceLength) $context_end = $sourceLength;
//echo("Got context. Start: $context_start, End: $context_end\n");
//echo("Group:"); var_dump($group);
@ -2603,7 +2610,10 @@ class search
// Strip the markdown from the context - it's most likely going to
// be broken anyway.
$context = self::strip_markup($context);
//$context = self::strip_markup($context);
// Escape special characters to protect against attacks
$context = htmlentities($context);
$contexts[] = $context;

2
module_index.json
View File

@ -68,7 +68,7 @@
"author": "Starbeamrainbowlabs",
"description": "Adds proper search functionality to Pepperminty Wiki using an inverted index to provide a full text search engine. If pages don't show up, then you might have hit a stop word. If not, try requesting the `invindex-rebuild` action to rebuild the inverted index from scratch.",
"id": "feature-search",
"lastupdate": 1471604218,
"lastupdate": 1471608025,
"optional": false
},
{

14
modules/feature-search.php
View File

@ -136,8 +136,10 @@ register_module([
{
$link = "?page=" . rawurlencode($result["pagename"]);
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
//echo("Extracting context for result " . $result["pagename"] . ".\n");
$context = search::extract_context($_GET["query"], $pagesource);
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
$context = search::highlight_context($_GET["query"], $context);
/*if(strlen($context) == 0)
{
@ -491,6 +493,8 @@ class search
return ($a[1] > $b[1]) ? +1 : -1;
});
$sourceLength = strlen($source);
$contexts = [];
$basepos = 0;
$matches_count = count($matches);
@ -523,6 +527,9 @@ class search
$context_start = $group[0][1] - $settings->search_characters_context;
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
if($context_start < 0) $context_start = 0;
if($context_end > $sourceLength) $context_end = $sourceLength;
//echo("Got context. Start: $context_start, End: $context_end\n");
//echo("Group:"); var_dump($group);
@ -530,7 +537,10 @@ class search
// Strip the markdown from the context - it's most likely going to
// be broken anyway.
$context = self::strip_markup($context);
//$context = self::strip_markup($context);
// Escape special characters to protect against attacks
$context = htmlentities($context);
$contexts[] = $context;