Handle urldecoding of path components in HyphaRequest? #203

Open
opened 2019-01-31 20:29:07 +00:00 by matthijskooijman · 2 comments
matthijskooijman commented 2019-01-31 20:29:07 +00:00 (Migrated from github.com)

When including special characters (in particular / or ?) in a url path component, it can be urlencoded to prevent being interpreted as a path separator or query parameter separator. To make sure that the original characters are used, at some point the value should be urldecoded. Currently, this does not seem to happen, or only for a particular path component (e.g. here).

It would be good to do this decoding globally, for example here.

However, if we do this, then we should make sure to more consistently encode url path components as well. In particular, not doing so could prevent a % from working, since en unencoded % will be viewed as an (probably invalid) urlencoded character.

When including special characters (in particular / or ?) in a url path component, it can be urlencoded to prevent being interpreted as a path separator or query parameter separator. To make sure that the original characters are used, at some point the value should be urldecoded. Currently, this does not seem to happen, or only for a particular path component (e.g. [here](https://github.com/PlanBCode/hypha/blob/f4c19a143fbfda6078d08341a41e22145717bc08/system/core/pages.php#L193)). It would be good to do this decoding globally, for example [here](https://github.com/PlanBCode/hypha/blob/4ed616191672a0335a73d8c74d3836ba40c326a1/system/core/HyphaRequest.php#L91). However, if we do this, then we should make sure to more consistently encode url path components as well. In particular, not doing so could prevent a % from working, since en unencoded % will be viewed as an (probably invalid) urlencoded character.
matthijskooijman commented 2019-01-31 20:52:48 +00:00 (Migrated from github.com)

Apparently urlencoding does not actually allow using a / inside a path component, at least with Apache, since that will deny any requests containing %2f (which seems silly, but is sort of a security measure and sortof a workaround). See https://stackoverflow.com/a/3235361/740048

Apparently urlencoding does not actually allow using a / inside a path component, at least with Apache, since that will deny any requests containing %2f (which seems silly, but is sort of a security measure and sortof a workaround). See https://stackoverflow.com/a/3235361/740048
matthijskooijman commented 2020-12-07 16:45:54 +00:00 (Migrated from github.com)

This probably relates to #274 for the generation / encoding of urls.

This probably relates to #274 for the generation / encoding of urls.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
harmen/hypha#203
No description provided.