[gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/search/

[gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/search/

[Jimi Huotari]

commit:     fd195fba210c8625e968ef5553e61864747c8d44
Author:     Derky <derky <AT> phpbb <DOT> com>
AuthorDate: Thu Apr 25 19:51:04 2019 +0000
Commit:     Jimi Huotari <chiitoo <AT> gentoo <DOT> org>
CommitDate: Thu Apr 25 19:51:04 2019 +0000
URL:        https://gitweb.gentoo.org/proj/forums.git/commit/?id=fd195fba

[ticket/security/235] Remove non trailing wildcards from search keywords

Database indexes are only used if wildcards are used at the end.
SECURITY-235

 phpBB/phpbb/search/fulltext_native.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/phpBB/phpbb/search/fulltext_native.php b/phpBB/phpbb/search/fulltext_native.php
index 9a6d62f9d..478fe5616 100644
--- a/phpBB/phpbb/search/fulltext_native.php
+++ b/phpBB/phpbb/search/fulltext_native.php
@@ -305,6 +305,11 @@ class fulltext_native extends \phpbb\search\base
 			}
 		}
 
+		// Remove non trailing wildcards from each word to prevent a full table scan (it's now using the database index)
+		$match = '#\*(?!$)\b#';
+		$replace = '$1';
+		$keywords = preg_replace($match, $replace, $keywords);
+
 		// set the search_query which is shown to the user
 		$this->search_query = $keywords;
 

[gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/search/

[Jimi Huotari]

commit:     8a73eb5f0ff912454e6479539f972081e54baa1c
Author:     Derky <derky <AT> phpbb <DOT> com>
AuthorDate: Thu Apr 25 22:52:43 2019 +0000
Commit:     Jimi Huotari <chiitoo <AT> gentoo <DOT> org>
CommitDate: Thu Apr 25 22:54:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/forums.git/commit/?id=8a73eb5f

[ticket/security/235] Use whitespace instead of word boundary regex to remove wildcards

This fixes removing the wildcard in the following search query: *.test
SECURITY-235

 phpBB/phpbb/search/fulltext_native.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpBB/phpbb/search/fulltext_native.php b/phpBB/phpbb/search/fulltext_native.php
index 478fe5616..1925623b8 100644
--- a/phpBB/phpbb/search/fulltext_native.php
+++ b/phpBB/phpbb/search/fulltext_native.php
@@ -306,7 +306,7 @@ class fulltext_native extends \phpbb\search\base
 		}
 
 		// Remove non trailing wildcards from each word to prevent a full table scan (it's now using the database index)
-		$match = '#\*(?!$)\b#';
+		$match = '#\*(?!$|\s)#';
 		$replace = '$1';
 		$keywords = preg_replace($match, $replace, $keywords);
 

[gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/search/

[Jimi Huotari]

commit:     da9910850a168f73c6b8dd8407a01f47d27ca1d8
Author:     Derky <derky <AT> phpbb <DOT> com>
AuthorDate: Thu Apr 25 22:56:48 2019 +0000
Commit:     Jimi Huotari <chiitoo <AT> gentoo <DOT> org>
CommitDate: Thu Apr 25 22:56:48 2019 +0000
URL:        https://gitweb.gentoo.org/proj/forums.git/commit/?id=da991085

[ticket/security/235] Only allow one wildcard in the search query to limit the database load

SECURITY-235

 phpBB/phpbb/search/fulltext_native.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/phpBB/phpbb/search/fulltext_native.php b/phpBB/phpbb/search/fulltext_native.php
index 1925623b8..c83de75ee 100644
--- a/phpBB/phpbb/search/fulltext_native.php
+++ b/phpBB/phpbb/search/fulltext_native.php
@@ -310,6 +310,15 @@ class fulltext_native extends \phpbb\search\base
 		$replace = '$1';
 		$keywords = preg_replace($match, $replace, $keywords);
 
+		// Only allow one wildcard in the search query to limit the database load
+		$match = '#\*#';
+		$replace = '$1';
+		$count_wildcards = substr_count($keywords, '*');
+
+		// Reverse the string to remove all wildcards except the first one
+		$keywords = strrev(preg_replace($match, $replace, strrev($keywords), $count_wildcards - 1));
+		unset($count_wildcards);
+
 		// set the search_query which is shown to the user
 		$this->search_query = $keywords;