In `XF\Pub\Controller\Search`, `actionResults` is missing checks from `actionSearch`

Xon

Well-known member
Affected version
2.2.11
In practice, The XF\Pub\Controller\Search::actionResults endpoint is laregly a replica of the XF\Pub\Controller\Search::actionSearch method, but with fewer checks.

  • \XF::visitor()->canSearch() is not checked.
  • When re-running search, it does not call $searcher->isQueryEmpty() and instead half bakes this depending on if it is a user vs a guest.
  • Search is always re-run for logged in users even for an empty query or if they are not allowed todo searches.
  • The changed search check for guests ( $search->search_query !== $this->filter('q', 'str')) is not sufficient to detect if this is a different search.

This set of changes means a logged in user can always craft search queries.
 

Xon

Well-known member
There are a number of endpoints on the Search controller which are missing canSearch checks, but look like they should.

Maybe just put that in the preDispatch function so every action has that check done by default?
 

Xon

Well-known member
actionResult returns a not-found instead of an error message if parsing the query fails, unlike actionSearch which gives an actual error message:
PHP:
            if ($query->getErrors())
            {
                return $this->notFound();
            }
 
Top