diff options
| author | Derky <derky@phpbb.com> | 2019-04-26 00:56:48 +0200 |
|---|---|---|
| committer | Derky <derky@phpbb.com> | 2019-04-26 00:56:48 +0200 |
| commit | da9910850a168f73c6b8dd8407a01f47d27ca1d8 (patch) | |
| tree | 47d32911013acc0b056be60c48526286afdd70d0 /phpBB | |
| parent | 8a73eb5f0ff912454e6479539f972081e54baa1c (diff) | |
| download | forums-da9910850a168f73c6b8dd8407a01f47d27ca1d8.tar forums-da9910850a168f73c6b8dd8407a01f47d27ca1d8.tar.gz forums-da9910850a168f73c6b8dd8407a01f47d27ca1d8.tar.bz2 forums-da9910850a168f73c6b8dd8407a01f47d27ca1d8.tar.xz forums-da9910850a168f73c6b8dd8407a01f47d27ca1d8.zip | |
[ticket/security/235] Only allow one wildcard in the search query to limit the database load
SECURITY-235
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/phpbb/search/fulltext_native.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/phpBB/phpbb/search/fulltext_native.php b/phpBB/phpbb/search/fulltext_native.php index 1925623b80..c83de75eed 100644 --- a/phpBB/phpbb/search/fulltext_native.php +++ b/phpBB/phpbb/search/fulltext_native.php @@ -310,6 +310,15 @@ class fulltext_native extends \phpbb\search\base $replace = '$1'; $keywords = preg_replace($match, $replace, $keywords); + // Only allow one wildcard in the search query to limit the database load + $match = '#\*#'; + $replace = '$1'; + $count_wildcards = substr_count($keywords, '*'); + + // Reverse the string to remove all wildcards except the first one + $keywords = strrev(preg_replace($match, $replace, strrev($keywords), $count_wildcards - 1)); + unset($count_wildcards); + // set the search_query which is shown to the user $this->search_query = $keywords; |