Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated sphinx-search extension version #505

Merged
merged 1 commit into from
Jan 17, 2024
Merged

updated sphinx-search extension version #505

merged 1 commit into from
Jan 17, 2024

Conversation

CommonClimate
Copy link
Collaborator

cf RTD email from Jan 15:

Recently, we identified a security vulnerability in our readthedocs-sphinx-search Sphinx extension. We have detected that you have used this extension in your builds in the last six months, in the following projects:pyleoclim-utilThis vulnerability could allow an attacker to inject arbitrary HTML content when including search results from a malicious project, using the project: search filter in a malicious link like https://docs.example.com/en/latest/?rtd_search=project: query, for instance.If you no longer use this extension, feel free to disregard this message. Otherwise, we strongly recommend updating to the latest version (0.3.2) as soon as possible.Alternatively, you can try our new search integration from our addons project, which will replace the Sphinx extension in the future. You can enable it from our beta dashboard at https://beta.readthedocs.org, by navigating to your project's Settings page, and clicking on the Addons tab.Documentation sites from Read the Docs Community (*.readthedocs.io and custom domains), don't use of session cookies, so what an attacker could do is very limited. You can find more information about this vulnerability in our security advisory.

Keep documenting,Read the Docs

Recently, we identified a security vulnerability in our readthedocs-sphinx-search Sphinx extension. We have detected that you have used this extension in your builds in the last six months, in the following projects:

pyleoclim-util
This vulnerability could allow an attacker to inject arbitrary HTML content when including search results from a malicious project, using the project: search filter in a malicious link like https://docs.example.com/en/latest/?rtd_search=project: query, for instance.

If you no longer use this extension, feel free to disregard this message. Otherwise, we strongly recommend updating to the latest version (0.3.2) as soon as possible.

Alternatively, you can try our new search integration from our addons project, which will replace the Sphinx extension in the future. You can enable it from our beta dashboard at https://beta.readthedocs.org, by navigating to your project's Settings page, and clicking on the Addons tab.

Documentation sites from Read the Docs Community (*.readthedocs.io and custom domains), don't use of session cookies, so what an attacker could do is very limited. You can find more information about this vulnerability in our security advisory.

Keep documenting,
Read the Docs

@alexkjames alexkjames merged commit 8d94083 into master Jan 17, 2024
1 check passed
@alexkjames alexkjames deleted the sphinx_search_version branch January 17, 2024 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexkjames alexkjames alexkjames approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CommonClimate @alexkjames