harmen/hypha
1
0
Fork 0
Code Issues 142 Pull requests 4 Projects Releases Packages Wiki Activity

Handle urldecoding of path components in HyphaRequest? #203

New issue
Open
opened 2019-01-31 20:29:07 +00:00 by matthijskooijman · 2 comments
matthijskooijman commented 2019-01-31 20:29:07 +00:00 (Migrated from github.com)
Copy link

When including special characters (in particular / or ?) in a url path component, it can be urlencoded to prevent being interpreted as a path separator or query parameter separator. To make sure that the original characters are used, at some point the value should be urldecoded. Currently, this does not seem to happen, or only for a particular path component (e.g. here).

It would be good to do this decoding globally, for example here.

However, if we do this, then we should make sure to more consistently encode url path components as well. In particular, not doing so could prevent a % from working, since en unencoded % will be viewed as an (probably invalid) urlencoded character.

When including special characters (in particular / or ?) in a url path component, it can be urlencoded to prevent being interpreted as a path separator or query parameter separator. To make sure that the original characters are used, at some point the value should be urldecoded. Currently, this does not seem to happen, or only for a particular path component (e.g. [here](https://github.com/PlanBCode/hypha/blob/f4c19a143fbfda6078d08341a41e22145717bc08/system/core/pages.php#L193)). It would be good to do this decoding globally, for example [here](https://github.com/PlanBCode/hypha/blob/4ed616191672a0335a73d8c74d3836ba40c326a1/system/core/HyphaRequest.php#L91). However, if we do this, then we should make sure to more consistently encode url path components as well. In particular, not doing so could prevent a % from working, since en unencoded % will be viewed as an (probably invalid) urlencoded character.
matthijskooijman commented 2019-01-31 20:52:48 +00:00 (Migrated from github.com)
Copy link

Apparently urlencoding does not actually allow using a / inside a path component, at least with Apache, since that will deny any requests containing %2f (which seems silly, but is sort of a security measure and sortof a workaround). See https://stackoverflow.com/a/3235361/740048

Apparently urlencoding does not actually allow using a / inside a path component, at least with Apache, since that will deny any requests containing %2f (which seems silly, but is sort of a security measure and sortof a workaround). See https://stackoverflow.com/a/3235361/740048
matthijskooijman commented 2020-12-07 16:45:54 +00:00 (Migrated from github.com)
Copy link

This probably relates to #274 for the generation / encoding of urls.

This probably relates to #274 for the generation / encoding of urls.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
hypha-117
combined
Render-links-in-article-comments
base64-subject
hypha-119
festival-translation
Issue/66-paste-from-word
issue/306-Install-new-hypha-fail
datatype-tag_list
testtranslation
clarify-comment-rules
wymeditor-css
newtext-more
newtextservicemethods
pr219
searchfunctie
default_datatype
koppelting
No results found.
Labels
Clear labels   
Component: User interface

   
Component: Wymeditor

   
Help wanted

   
Level: Difficult

Structural changes, need discussion

  
Level: Easy

Under 4 hours of work

  
Level: Moderate

Under 16 hours of work

  
Pagetype: Festival

   
Pagetype: Mailinglist

   
Pagetype: Peer reviewed article

   
Pagetype: Text

   
Privacy GDPR AVG

   
status: has conflicts

   
Status: Needs changes

   
Status: Needs discussion

   
Status: Needs review

   
Status: Ready to merge

   
Status: Waiting for response

   
Type: Bug

   
Type: Enhancement

   
Type: Question

   
Usecase: De Stadsbron

   
Usecase: Koppelting

   
Usecase: MeetjeStad

   
Value: Coders

Enhancement of codebase, API, documentation

  
Value: Security

   
Value: Users

Improve user experience, add new features

  
Value: Visitors

Improve navigation, styling

No labels
Component: User interface
Component: Wymeditor
Help wanted
Level: Difficult
Level: Easy
Level: Moderate
Pagetype: Festival
Pagetype: Mailinglist
Pagetype: Peer reviewed article
Pagetype: Text
Privacy GDPR AVG
status: has conflicts
Status: Needs changes
Status: Needs discussion
Status: Needs review
Status: Ready to merge
Status: Waiting for response
Type: Bug
Type: Enhancement
Type: Question
Usecase: De Stadsbron
Usecase: Koppelting
Usecase: MeetjeStad
Value: Coders
Value: Security
Value: Users
Value: Visitors
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
harmen/hypha#203
No description provided.