CVE-2022-23990

Advisory

Whoogle-search 0.7.2 updates its Python image to python:3.11.0a5-alpine to include a security fix.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Features/Improvements
- Build images now pushed to [ghcr.io](https://github.com/benbusby/whoogle-search/pkgs/container/whoogle-search) (still pushed to Docker Hub as usual)
- Improved "minimal mode"
- Public instances now accessible in machine readable format via [misc/instances.txt](https://github.com/benbusby/whoogle-search/blob/main/misc/instances.txt)
- Fixed bugs w/ currency conversion
- Upgraded Python image in Dockerfile to `python:3.11.0a5-alpine`
- Updated ad filter
- Switched to [defusedxml](https://pypi.org/project/defusedxml/) for XML parsing
- Added ability to enable frontend alternatives, but selectively keep the default frontend for specific services
- For example, if site alts are enabled but you still want to visit `youtube.com` for YouTube results, set `WHOOGLE_ALT_YT` to an empty value (i.e. `WHOOGLE_ALT_YT=""` (all alt environment variables are documented in the README).
- Updated all remaining frontend alternatives to be redirected through [Farside](https://github.com/benbusby/farside) by default
- Fixed incorrect Chinese and Russian translations
- Added Korean translations
- Improved support for relative search results
- Note: If you're hosting Whoogle behind a path such as `mydomain.com/whoogle`, you can now set `WHOOGLE_URL_PREFIX` to the path prefix (in this example, `/whoogle`)
- Patched a minor vulnerability involving XSS on the Whoogle error template
- Passing valid javascript within a tag (i.e. "<script>alert(document.domain)</script>") to the `q` param for the (now removed) `/url` endpoint caused the javascript to be executed. This has been fixed by restoring message sanitizing on the error template, as well as removing the unused `/url` endpoint which provided the only way of accessing the bug.
- Added a (rough) implementation of Anonymous View
- Available as a config setting or environment variable (`WHOOGLE_CONFIG_ANON_VIEW`)
- Partially overrides the NoJS feature in order to keep result clutter to a minimum
- NoJS View is now accessible only if both Anonymous View and NoJS are enabled in the config, since it uses the same endpoint as Anonymous View
- This still has some issues to work through, but is available as a "beta" feature to test out now. Feel free to open an issue or reach out directly (or come to [my Twitch stream](https://twitch.tv/ben_busby)) if you find a specific site that anonymous view doesn't work with, or otherwise find a bug with it in general.

Community Contributions
* Update minimal mode for new Google formatting by DUOLabs333 in https://github.com/benbusby/whoogle-search/pull/637
* දෝෂ කිහිපයක් නිවරදි කිරීම by sayuri-gi in https://github.com/benbusby/whoogle-search/pull/594
* Improve rendering of the tabs by jacr13 in https://github.com/benbusby/whoogle-search/pull/535
* Clean "Show more results" of all site blocks by DUOLabs333 in https://github.com/benbusby/whoogle-search/pull/646
* added my instance :) by EsmailELBoBDev2 in https://github.com/benbusby/whoogle-search/pull/647
* Add gowogle.voring.me as public instance by ThatOneCalculator in https://github.com/benbusby/whoogle-search/pull/650
* Fix error with `remove_site_blocks` in the Images tab by DUOLabs333 in https://github.com/benbusby/whoogle-search/pull/651
* Fix 'collapse_sections' for 'MINIMAL_MODE' by DUOLabs333 in https://github.com/benbusby/whoogle-search/pull/654
* Give Accept-Language div its own class by nityy in https://github.com/benbusby/whoogle-search/pull/659
* Vulnerable Python image upgraded (critical) by Albonycal in https://github.com/benbusby/whoogle-search/pull/669
* Configure setup() using setup.cfg by CyberTailor in https://github.com/benbusby/whoogle-search/pull/667
* Increase /var/lib/tor tmpfs size to 12MB by CyberJack in https://github.com/benbusby/whoogle-search/pull/693
* whoogle.dcs0.hu cloudflare remove by domokosdcs0 in https://github.com/benbusby/whoogle-search/pull/696
* Fix incorrect translation (zh-TW & zh-CN) by xatier in https://github.com/benbusby/whoogle-search/pull/697
* Add "nofollow noopener noreferrer" to all links by 138138138 in https://github.com/benbusby/whoogle-search/pull/698
* add korean translation by green1052 in https://github.com/benbusby/whoogle-search/pull/700
* Do not offer opensearch.xml as attachment by gdm85 in https://github.com/benbusby/whoogle-search/pull/713
* [Chrome] Mention requirements to add a search engine via OpenSearch by gdm85 in https://github.com/benbusby/whoogle-search/pull/716
* Fix 'anon-view' KeyError by glitsj16 in https://github.com/benbusby/whoogle-search/pull/724
* Fix Russian translation by dsrev in https://github.com/benbusby/whoogle-search/pull/726
* Return 401 when token is invalid by gdm85 in https://github.com/benbusby/whoogle-search/pull/714
* Add support for relative search results by gdm85 in https://github.com/benbusby/whoogle-search/pull/715
* Fixes issue where 307 redirects on http not https by spitsw in https://github.com/benbusby/whoogle-search/pull/731

New Contributors
* EsmailELBoBDev2 made their first contribution in https://github.com/benbusby/whoogle-search/pull/647
* ThatOneCalculator made their first contribution in https://github.com/benbusby/whoogle-search/pull/650
* CyberTailor made their first contribution in https://github.com/benbusby/whoogle-search/pull/667
* CyberJack made their first contribution in https://github.com/benbusby/whoogle-search/pull/693
* xatier made their first contribution in https://github.com/benbusby/whoogle-search/pull/697
* 138138138 made their first contribution in https://github.com/benbusby/whoogle-search/pull/698
* green1052 made their first contribution in https://github.com/benbusby/whoogle-search/pull/700
* gdm85 made their first contribution in https://github.com/benbusby/whoogle-search/pull/713
* spitsw made their first contribution in https://github.com/benbusby/whoogle-search/pull/731

**Full Changelog**: https://github.com/benbusby/whoogle-search/compare/v0.7.1...v0.7.2

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990