[hackerone] OpenSearch issues

[stoletheminerals]

https://hackerone.com/reports/2057565

Please also check my comment here https://hackerone.com/reports/2057565#activity-22722892

[hffvld]

Hi @stoletheminerals do you know what website can QA use to validate the fix for this ticket?

[hffvld]

@stoletheminerals @soner-yuksel In build 1.52 I was able to install Custom SE from https://csrf.jp/2023/brave_opensearch.php and see a request to bad_sugest.php. However, with build 1.56 (23.7.19.18) I can't install Custom SE. Is this expected?

1.52	1.56

1.56 (23.7.19.18)

Custom.SE.mov

[stoletheminerals]

@vlad-hoff yep this is expected, one of the issues was that Brave allowed adding multiple search providers with the same name, which led to crashes and other weird behaviours. @soner-yuksel added a check, so when you add a new SE and there is already a SE with the same name - Brave will return an error.
To test other issues in the ticket you will need to modify the HTTP response of search3.xml file, just change short and long names from Google to something else (e.g EvilTest)

[hffvld]

Verified on iPhone 14 using version(s):

Device/OS: iPhone 14 [iOS 16.5.1]
Brave build: 1.57 (23.7.26.15)
BraveCore: 1.57.13 (115.0.5790.90)

---

STEPS:

1. Launch Brave
2. Visit https://en.m.wikipedia.org/wiki/Main_Page
3. Tap the magnifier button and activate the search
4. Tap Add custom search engine button over the keyboard > Verify
5. Go to settings > Search engines > Add Custom Search Engine
6. Type https://wikipedia.org/search?q=%s > Then type Name as Wikipedia (en) > Add > Verify
7. Settings Search Engines > Disable Show Search Suggestions
8. Type a search query > Verify

ACTUAL RESULTS:

• Verified that both suggestion - search URL template is written on the description on alert
• Verified that an error message is shown when trying to add the same SE (URL and Name)
• Verified that Brave is not sending requests to suggestion API when Show Search Suggestions is OFF

---

1	2	3	4

1	2	3	4