#13783 assigned defect

Avoid spam link attack via quickjump feature of search

Reported by:	Jun Omae	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.6.1
Component:	search system	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Jun Omae)

diff --git a/trac/search/templates/search.html b/trac/search/templates/search.html
index c9ad6578b..a4aaafd3b 100644
--- a/trac/search/templates/search.html
+++ b/trac/search/templates/search.html
@@ -30,6 +30,7 @@ history and logs, available at https://trac.edgewall.org/.
     ${ super() }

     #   if results:
+    <meta name="ROBOTS" content="NOINDEX, NOFOLLOW" />
     <meta name="startIndex" content="${results.span[0] + 1}"/>
     <meta name="totalResults" content="${results.num_items}"/>
     <meta name="itemsPerPage" content="${results.max_per_page}"/>

Change History (1)

comment:1 by Jun Omae, 4 months ago

Description:	modified (diff)

In addition, search: link should have ref="nofollow" attribute.

trac/search/web_ui.py

diff --git a/trac/search/web_ui.py b/trac/search/web_ui.py
index 4e7789a61..9f528481e 100644

                class SearchModule(Component):
         else:
             href = formatter.href.search() + quote_query_string(query)
         href += fragment
         return tag.a(label, class_='search', href=href)
+        return tag.a(label, rel='nofollow', class_='search', href=href)
     # IRequestHandler helper methods

trac/tests/wikisyntax.py

diff --git a/trac/tests/wikisyntax.py b/trac/tests/wikisyntax.py
index 1a9f0c3c0..90b89a686 100644

                search:"foo bar"
 [search:]
 ------------------------------
 <p>
 <a class="search" href="/search?q=foo">search:foo</a>
 <a class="search" href="/search?q=foo+bar">search:"foo bar"</a>
 <a class="search" href="/search?q=bar">Bar</a>
 <a class="search" href="/search?q=bar">bar</a>
 <a class="search" href="/search">search</a>
+<a class="search" href="/search?q=foo" rel="nofollow">search:foo</a>
+<a class="search" href="/search?q=foo+bar" rel="nofollow">search:"foo bar"</a>
+<a class="search" href="/search?q=bar" rel="nofollow">Bar</a>
+<a class="search" href="/search?q=bar" rel="nofollow">bar</a>
+<a class="search" href="/search" rel="nofollow">search</a>
 </p>
 ------------------------------
 ============================== search: link resolver with query arguments
-…
+               search:"?q=foo bar&wiki=on"
 [search:?q=bar&ticket=on Bar in Tickets]
 ------------------------------
 <p>
 <a class="search" href="/search?q=foo&amp;wiki=on">search:foo?wiki=on</a>
 <a class="search" href="/search?q=foo&amp;wiki=on">search:?q=foo&amp;wiki=on</a>
 <a class="search" href="/search?q=foo+bar&amp;wiki=on">search:"foo bar?wiki=on"</a>
 <a class="search" href="/search?q=foo+bar&amp;wiki=on">search:"?q=foo bar&amp;wiki=on"</a>
 <a class="search" href="/search?q=bar&amp;ticket=on">Bar in Tickets</a>
 <a class="search" href="/search?q=bar&amp;ticket=on">Bar in Tickets</a>
+<a class="search" href="/search?q=foo&amp;wiki=on" rel="nofollow">search:foo?wiki=on</a>
+<a class="search" href="/search?q=foo&amp;wiki=on" rel="nofollow">search:?q=foo&amp;wiki=on</a>
+<a class="search" href="/search?q=foo+bar&amp;wiki=on" rel="nofollow">search:"foo bar?wiki=on"</a>
+<a class="search" href="/search?q=foo+bar&amp;wiki=on" rel="nofollow">search:"?q=foo bar&amp;wiki=on"</a>
+<a class="search" href="/search?q=bar&amp;ticket=on" rel="nofollow">Bar in Tickets</a>
+<a class="search" href="/search?q=bar&amp;ticket=on" rel="nofollow">Bar in Tickets</a>
 </p>
 ------------------------------
 """

Modify Ticket

Change Properties

Summary:
Description:	{{{ diff --git a/trac/search/templates/search.html b/trac/search/templates/search.html index c9ad6578b..a4aaafd3b 100644 --- a/trac/search/templates/search.html +++ b/trac/search/templates/search.html @@ -30,6 +30,7 @@ history and logs, available at https://trac.edgewall.org/. ${ super() } # if results: + <meta name="ROBOTS" content="NOINDEX, NOFOLLOW" /> <meta name="startIndex" content="${results.span[0] + 1}"/> <meta name="totalResults" content="${results.num_items}"/> <meta name="itemsPerPage" content="${results.max_per_page}"/> }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as assigned The owner will remain Jun Omae.

unassign The ticket will be disowned. Next status will be 'new'.

resolve as The resolution will be set. Next status will be 'closed'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Download in other formats:

Context Navigation

#13783 assigned defect

Avoid spam link attack via quickjump feature of search

Description (last modified by Jun Omae)

Attachments (0)

Change History (1)

comment:1 by Jun Omae, 4 months ago

trac/search/web_ui.py

trac/tests/wikisyntax.py

Modify Ticket

Add Comment

by anonymous

Download in other formats: