In multi-page HTML builds of Sphinx projects that have search functionality enabled and use the default searchtools.js implementation, a user search query (either input manually, or as a result of clicking on a hyperlink to the documentation) for the term __proto__ may produce an error in the user's browser.
Although I don't believe that this is realistically exploitable as a security vulnerability in the client-side code deployed in Sphinx HTML projects, it is a query (a form of user-controlled input) that produces an error at runtime.
How to Reproduce
The problem can be replicated in a minimal Sphinx project containing an empty conf.py file and an empty index.rst file.
Assuming that those two files have been placed in a poc directory, run the following command to build the project:
Describe the bug
In multi-page HTML builds of Sphinx projects that have search functionality enabled and use the default
searchtools.jsimplementation, a user search query (either input manually, or as a result of clicking on a hyperlink to the documentation) for the term__proto__may produce an error in the user's browser.Although I don't believe that this is realistically exploitable as a security vulnerability in the client-side code deployed in Sphinx HTML projects, it is a query (a form of user-controlled input) that produces an error at runtime.
How to Reproduce
The problem can be replicated in a minimal Sphinx project containing an empty
conf.pyfile and an emptyindex.rstfile.Assuming that those two files have been placed in a
pocdirectory, run the following command to build the project:...and then serve it on a local webserver:
You should subsequently be able to replicate the error by opening the URL: http://127.0.0.1:8000/search.html?q=__proto__
The error that appears in Firefox's JavaScript developer console is:
Environment Information
Sphinx extensions
Additional context
I plan to offer a pull request to resolve this problem alongside this bug report.