Summary | vacation, spam & forward double encoding |
Queue | Horde Framework Packages |
Type | Bug |
State | Resolved |
Priority | 1. Low |
Owners | mrubinsk (at) horde (dot) org |
Requester | dbgarcia (at) gmv (dot) com |
Created | 10/30/2015 (3513 days ago) |
Due | |
Updated | 11/03/2015 (3509 days ago) |
Assigned | 11/02/2015 (3510 days ago) |
Resolved | 11/03/2015 (3509 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
Best regards
commit a8d1297249b89ad441f3c9c59256ba7de36c11ab
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 14:51:13 2015 -0500
Use full URL, since these will be html encoded by Horde_Form.
This still smells a tiny bit funny, since it requires knowing what
Horde_Form does internally, but...
Related to
Bug: 14148ingo/lib/Basic/Forward.php | 2 +-
ingo/lib/Basic/Spam.php | 2 +-
ingo/lib/Basic/Vacation.php | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
http://github.com/horde/horde/commit/a8d1297249b89ad441f3c9c59256ba7de36c11ab
commit d2ec7373f8dfa2c71784be4d9978e52e2228d857
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 14:51:13 2015 -0500
Use full URL, since these will be html encoded by Horde_Form.
This still smells a tiny bit funny, since it requires knowing what
Horde_Form does internally, but...
Related to
Bug: 14148ingo/lib/Basic/Forward.php | 2 +-
ingo/lib/Basic/Spam.php | 2 +-
ingo/lib/Basic/Vacation.php | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
http://github.com/horde/horde/commit/d2ec7373f8dfa2c71784be4d9978e52e2228d857
Still, this since these URLs will never have another parameter added
in the action URL (as you said, they are POST forms), this still fixes
the original issue.
Still, for good measure, I'll force Horde::url to be a full URL since
this will prevent the & encoding from Horde_Url.
form, and not allow Horde:url to append it so we can still get a
"clean" url.
URL only contains a single parameter now, so there's no ampersand to
be double encoded. But as soon as one of these gets another parameter,
it's broken again.
Adding the session id as a form field is still better though. Actually
we shouldn't use parameters in the action URL at all, technically,
since these are POST forms, not GET forms. There is no browser that
would choke on this behaviour though.
should probably rather make sure that we don't pass the encoded URL
to Horde_Form from Ingo. Probably need to set ->raw in the passed
Horde_Url.
to string fwiw).
htmlspecialchars, which isn't really appropriate for encoding an
actual URL. e.g.:
htmlspecialchars('/some/page.php?foo=bar&bar=foo')
does not result in a valid, working url.
is of course not a valid URL, but a correctly encoded URL to be
embedded into a HTML page.
State ⇒ Feedback
commit 303d4d6a9a2a17dc2893da737e039880a4d46df8
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 13:57:35 2015 -0500
Bug: 14148Correctly add session id to form if it's needed.ingo/lib/Basic/Forward.php | 8 ++++++--
ingo/lib/Basic/Spam.php | 8 ++++++--
ingo/lib/Basic/Vacation.php | 8 ++++++--
3 files changed, 18 insertions(+), 6 deletions(-)
http://github.com/horde/horde/commit/303d4d6a9a2a17dc2893da737e039880a4d46df8
commit 3dde111136ba3ff170501acb5e9b9993debfcd5f
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 13:59:17 2015 -0500
Revert "
Bug: 14148Don't convert html special entities in form action."This reverts commit 9cc5cb3a13289e2ced64133cf98db3eab2431bb7.
framework/Form/lib/Horde/Form/Renderer.php | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
http://github.com/horde/horde/commit/3dde111136ba3ff170501acb5e9b9993debfcd5f
commit 3309278cd40275b31ef18f058247f89a23b205d7
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 13:57:35 2015 -0500
Bug: 14148Correctly add session id to form if it's needed.ingo/lib/Basic/Forward.php | 8 ++++++--
ingo/lib/Basic/Spam.php | 8 ++++++--
ingo/lib/Basic/Vacation.php | 8 ++++++--
3 files changed, 18 insertions(+), 6 deletions(-)
http://github.com/horde/horde/commit/3309278cd40275b31ef18f058247f89a23b205d7
and not allow Horde:url to append it so we can still get a "clean" url.
should probably rather make sure that we don't pass the encoded URL
to Horde_Form from Ingo. Probably need to set ->raw in the passed
Horde_Url.
attribute being run through htmlspecialchars, which isn't really
appropriate for encoding an actual URL. e.g.:
htmlspecialchars('/some/page.php?foo=bar&bar=foo')
does not result in a valid, working url.
probably rather make sure that we don't pass the encoded URL to
Horde_Form from Ingo. Probably need to set ->raw in the passed
Horde_Url.
Version ⇒
Queue ⇒ Horde Framework Packages
commit 9cc5cb3a13289e2ced64133cf98db3eab2431bb7
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon Nov 2 11:15:00 2015 -0500
Bug: 14148Don't convert html special entities in form action.framework/Form/lib/Horde/Form/Renderer.php | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
http://github.com/horde/horde/commit/9cc5cb3a13289e2ced64133cf98db3eab2431bb7
State ⇒ Assigned
Assigned to Michael Rubinsky
It only happens when you have cookies disabled.
Priority ⇒ 1. Low
Please upgrade first, as your install is out of date.
Priority ⇒ 2. Medium
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Summary ⇒ vacation, spam & forward double encoding
Type ⇒ Bug
Queue ⇒ Ingo
spam with buttons: "save", "save and enable" or "Return to rules list"
it fails returning a "page not found" error. We have seen that URLs
attached to those buttons seems to be double encoded (please note
"&amp;" text):
<!--a75c305b1c0a6022--><form
action="/horde/ingo/basic.php?Horde=llmtcafuh0kmsuc8p7h8535rg0&amp;page=spam" method="post" name="ingo_form_spam"
id="ingo_form_spam">
Could it be a double encoding issue?
Bes regards.