Closed (fixed)
Project:
Apache Solr Search
Version:
6.x-1.6
Component:
Code
Priority:
Major
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
7 Feb 2011 at 15:36 UTC
Updated:
20 Mar 2012 at 14:00 UTC
Jump to comment: Most recent file
Comments
Comment #1
mtbosworth commentedThis patch uses the filter_xss function to scrub the search term before building the $form['#redirect'] path.
Comment #2
mtbosworth commentedI found a second instance where the $keys value needed to be scrubbed.
Comment #3
Michael Hofmockel commentedThe Apache solr module alone will not create this. But if the search form is inline with the breadcrumbs an open tag in the breadcrumb can wrap the form and leverage it for attack.
Although mtbosworth patch takes care of the form submission it misses the possibility of an attack directly through a URL submission. I have attached a simpler patch that address the problem earlier in the flow for all cases.
Comment #4
Michael Hofmockel commentedI am closing this bug as I have found it to be in the custom breadcrumbs on our site. The breadcrumbs are created in some cases from the URL. Once I sanitized the breadcrumb with filter_xss, our problem was resolved in all cases. Sorry for the false alarm.
How ever it should be considered that the search inputs be sanitized prior to being incorporated into the URL. In my case arg(2) is unsanitary in the URL.
FYI
My problem was solved in template.php with the addition of filter_xss()
$breadcrumb[2] = filter_xss(arg(2),array());Comment #5
hanskuiters commentedReopening this issue. Found out I can execute javascript through default search box. If I uninstall Apache Solr Search Integration, search is correct.
Code to reproduce:
<script>alert('hello');</script>Drupal 6.20
Apache Solr 1.6
Comment #6
nick_vhPlease provide us with a complete list of your contrib modules. Did you do form alters? Can you reproduce the same error on a vanilla drupal with only apachesolr?
Comment #7
hanskuiters commentedI have about 99 contributed modules, so for now I spare you the list. I did some form alters, but for the test I didn't use them. On a clean D6 install with Apache Solr, all went well. Strange thing: on Safari and Chrome (Windows) the error doesn't occure.
I'll do some debug myself before I get back.
Comment #8
hanskuiters commentedFound it. Your advice to test on a clean install did it. I also tested with Garland to rule out my theme.
I said I didn't use form alters while testing. That was right. But I did use the search query to place an extra link on the page which performs an alternate search query to an external database: "do you like to search for [search query] in publications?". And I didn't sanatize that search query. So while printing the extra line it executes the javascript. I now use filter_xss() on the search query.
Comment #9
nick_vhGreat! Problem solved :)