From bugzilla-daemon@bugs.koha-community.org Tue Jan 29 06:14:56 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] New: Item url double-encode when parameter is
an encoded URL
Date: Tue, 29 Jan 2019 05:14:25 +0000
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5181389270806066892=="
--===============5181389270806066892==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Bug ID: 22223
Summary: Item url double-encode when parameter is an encoded
URL
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: OPAC
Assignee: oleonard@myacpl.org
Reporter: dcook@prosentient.com.au
QA Contact: testopia@bugs.koha-community.org
Target Milestone: ---
The following use of the "url" filter is problematic:
[% IF Koha.Preference("OPACURLOpenInNewWindow") %]
[% ITEM_RESULT.uri | html %]
[% ELSE %]
[% ITEM_RESULT.uri |=
html
%]
[% END %]
If ITEM_RESULT.uri is
"https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com", then the
percent signs in the argument to the "redirect_url" parameters will be encoded
incorrectly and the result will be
"https://idp.com?redirect_url=3Dhttps%253A%252F%252Fsomewhere_else.com", whic=
h is
obviously an invalid URL.=20
Can we really expect that no one will ever include a URL with URI encoded
parameters?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============5181389270806066892==--
From bugzilla-daemon@bugs.koha-community.org Fri Feb 15 14:52:43 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Fri, 15 Feb 2019 13:52:40 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7168993595897900017=="
--===============7168993595897900017==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jonathan.druart@bugs.koha-c
| |ommunity.org
Depends on| |21526
--- Comment #1 from Jonathan Druart =
---
Done with a script, see
commit 582502644801b44595497caf6bbee449f0347238
Bug 21526: uri escape TT variables when used in 'a href'
We may need to adjust some occurrences manually.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D21526
[Bug 21526] TT variables used to build a link should be uri filtered
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============7168993595897900017==--
From bugzilla-daemon@bugs.koha-community.org Mon Feb 18 05:39:48 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 18 Feb 2019 04:39:45 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3380122622738942589=="
--===============3380122622738942589==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #2 from David Cook ---
(In reply to Jonathan Druart from comment #1)
> Done with a script, see
> commit 582502644801b44595497caf6bbee449f0347238
> Bug 21526: uri escape TT variables when used in 'a href'
> We may need to adjust some occurrences manually.
I'm not sure what you're saying, Jonathan. Do you mean that the filter was
added by the script and that we need to remove the filters manually?
If so, what would prevent the filters from being re-added by a script in the
future?
--
You are receiving this mail because:
You are watching all bug changes.
--===============3380122622738942589==--
From bugzilla-daemon@bugs.koha-community.org Fri Feb 22 13:06:03 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Fri, 22 Feb 2019 12:06:00 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4514426660958431912=="
--===============4514426660958431912==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #3 from Jonathan Druart =
---
(In reply to David Cook from comment #2)
> (In reply to Jonathan Druart from comment #1)
> > Done with a script, see
> > commit 582502644801b44595497caf6bbee449f0347238
> > Bug 21526: uri escape TT variables when used in 'a href'
> > We may need to adjust some occurrences manually.
>=20
> I'm not sure what you're saying, Jonathan. Do you mean that the filter was
> added by the script and that we need to remove the filters manually?
>=20
> If so, what would prevent the filters from being re-added by a script in the
> future?
Did you read the commit message and the bug description?
I wrote a script to guess what needed to be escaped correctly, in , 'value' must be uri escaped, not html escap=
ed.
This is true in ~90% of the situations, others (specific cases) need to be
handled separately and fixed manually.
If you found one you can provide a patch and I will test it.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============4514426660958431912==--
From bugzilla-daemon@bugs.koha-community.org Mon Feb 25 00:34:36 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Sun, 24 Feb 2019 23:34:06 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1794353751426621259=="
--===============1794353751426621259==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #4 from David Cook ---
(In reply to Jonathan Druart from comment #3)
> Did you read the commit message and the bug description?
No, I didn't look it up in Git. Like Stackoverflow, I think it makes sense to
include the relevant content in the forum rather than sending people off
somewhere else. Providing a link isn't the same thing as providing a response=
.=20
> I wrote a script to guess what needed to be escaped correctly, in href=3D/uri?param=3D[% value %]>, 'value' must be uri escaped, not html esc=
aped.
>=20
I think you've misunderstood me. I'm saying "href=3D"[% ITEM_RESULT.uri | url=
%]"
is a problem because ITEM_RESULT.uri may already contain an escaped URL. For
instance, "https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com". =
If
you run use a filter like [% ITEM_RESULT.uri | url %], that'll make it
double-encoded which breaks the URL. It's a different use case. I'm not
describing building a URL in the template. I'm talking about when an entire U=
RL
is already provided. Filtering it is problematic as you can't know how the URL
data is already going to be handled. (Although a person could write a filter
that parses the URL and escapes any unescaped parameters and rebuilds the URL,
but that's also more work that I doubt anyone wants to do right now.)
> This is true in ~90% of the situations, others (specific cases) need to be
> handled separately and fixed manually.
This is what I don't understand. I understand how the template can be fixed
manually, but can you explain to me how the scripts for auto-adding filters
will ignore manually fixed cases?
*clicks through to
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D21526*
Are you referring to use of $raw instead? I don't understand what you're tryi=
ng
to say.=20
> If you found one you can provide a patch and I will test it.
This also confuses me. What do you mean by "one" here?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============1794353751426621259==--
From bugzilla-daemon@bugs.koha-community.org Wed Feb 27 18:13:18 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 27 Feb 2019 17:13:16 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8124912347897996941=="
--===============8124912347897996941==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Katrin Fischer changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |katrin.fischer@bsz-bw.de
--- Comment #5 from Katrin Fischer ---
(In reply to David Cook from comment #4)
> (In reply to Jonathan Druart from comment #3)
> > Did you read the commit message and the bug description?
>=20
> No, I didn't look it up in Git. Like Stackoverflow, I think it makes sense
> to include the relevant content in the forum rather than sending people off
> somewhere else. Providing a link isn't the same thing as providing a
> response.=20
Commit message and bug description can both be viewed on bugzilla. The commit
message is always supposed to contain the most current test plan, so it's oft=
en
helpful to start there.
If I understand the issue correctly:
Catalogers might copy escaped and unescaped URLs into 856$u/952$u/955? and th=
at
leaves us with the problem that we might not use the correct filter in the
templates.
What can we do here? Is there a way to determine safely, if an URL has already
been escaped? I assume checking for something like % might work?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============8124912347897996941==--
From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 04:42:17 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Feb 2019 03:42:14 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2233667937103478687=="
--===============2233667937103478687==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #6 from David Cook ---
(In reply to Katrin Fischer from comment #5)
> If I understand the issue correctly:
>=20
> Catalogers might copy escaped and unescaped URLs into 856$u/952$u/955? and
> that leaves us with the problem that we might not use the correct filter in
> the templates.
>=20
I'd say that catalogers might copy URLs into 856$u/952$u/955? that have escap=
ed
values in the query string (actually there could also be escaped values in the
path - this is common with URLs used in IIIF Image Servers like Loris*), and =
we
don't want to double-encode those values.=20
*Example Loris URL:
http://loris.example.org/loris/1234%2F5678%2F90123.tif/info.json
> What can we do here? Is there a way to determine safely, if an URL has
> already been escaped? I assume checking for something like % might work?
I don't know if there is a best practice for checking URL encoding. I don't
think there is.
When it comes to safety, I think we need to think about the origin of the
value. It's not a public end user providing this value; it's an authorized
staff member. If this were a CMS, we'd be trusting that the people providing
the content for the CMS aren't embedding malicious Javascript, right? I mean.=
..
if a staff member wanted to inject Javascript, they could use OpacUserJS.
That said, OpacUserJS requires admin privileges. And maybe a less cautious
cataloguer could import a MARCXML record with a malicious URL in it.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============2233667937103478687==--
From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 04:53:30 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Feb 2019 03:53:27 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5403059213180488645=="
--===============5403059213180488645==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #7 from David Cook ---
I just removed the "url" filter from [% ITEM_RESULT.uri | url %], and I was
able to exploit the XSS vulnerability by putting a malicious string into the
"952$u" subfield via the Staff Client...
Looking at https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), it tal=
ks
about how XSS occurs "anywhere a web application uses input from a user within
the output it generates without validating or encoding it".=20
In the case of ITEM_RESULT.uri, I don't think that encoding it is the right
solution. However, we could validate it by writing a custom Template::Toolkit
filter to use Perl's URI module to ensure that it is actually a URL?=20
Trying to think about a valid URL that could also include a malicious
payload...
--
I just took a malicious string (perhaps best I don't share it publicly?) that
exploits [% ITEM_RESULT.uri %] and put it through URI->new() and it escaped t=
he
malicious characters, which is good.
I just put "https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com"
through URI->new() and it didn't modify it in any way, which is good.
I just put "http://loris.example.org/loris/1234%2F5678%2F90123.tif/info.json"
through URI->new() and it didn't modify it in any way, which is good.=20
I just put "https://idp.com?redirect_url=3Dhttps://somewhere_else.com" through
URI->new() and it didn't modify it in any way, which is fine.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============5403059213180488645==--
From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 05:20:29 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Feb 2019 04:19:59 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5216320709369800520=="
--===============5216320709369800520==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #8 from David Cook ---
Using some of the evasion strategies in
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) and Perl's
URI->new() is handling it.=20
Ah we can see it at https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L=
81
I think.
Basically it encodes everything that isn't in the following:
our $reserved =3D q(;/?:@&=3D+$,[]);
our $mark =3D q(-_.!~*'()); #'; emacs
our $unreserved =3D "A-Za-z0-9\Q$mark\E";
our $uric =3D quotemeta($reserved) . $unreserved . "%";
Whereas http://template-toolkit.org/docs/manual/Filters.html#section_url
encodes everything that is outside the permitted URI charactesrs from RFC 239=
6,
except &, @, /, ;, :, =3D, +, ? and $.=20
The key thing is how the URI module doesn't encode the % sign.=20
(Of course reading
http://template-toolkit.org/docs/manual/Filters.html#section_uri it says ("(",
")", "~", "*", "!" and the single quote "'") now need to be escaped according
to RFC3986... and the URI module doesn't do that?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============5216320709369800520==--
From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 05:22:01 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Feb 2019 04:21:58 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0130487819817946873=="
--===============0130487819817946873==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #9 from David Cook ---
I find it interesting that the double quote character is safe in RFC 3986... =
as
that's a character I use for crafting my malicious strings.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============0130487819817946873==--
From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 06:44:26 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Feb 2019 05:44:22 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3020345252918423451=="
--===============3020345252918423451==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #10 from David Cook ---
(In reply to David Cook from comment #9)
> I find it interesting that the double quote character is safe in RFC 3986...
> as that's a character I use for crafting my malicious strings.
But in Template 2.28 it is still encoding the double quote character even
though it says it doesn't need to... *shrug*
--
You are receiving this mail because:
You are watching all bug changes.
--===============3020345252918423451==--
From bugzilla-daemon@bugs.koha-community.org Sat May 4 17:27:20 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Sat, 04 May 2019 15:27:17 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1176608350354808146=="
--===============1176608350354808146==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #11 from Jonathan Druart ---
Created attachment 89352
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=3D89352&action=3D=
edit
Bug 22223: Try to not double encoded URIs in items.uri
This is just a POC and is not ready for inclusion (Filter.pm and naming
need to be discussed).
Test plan:
Create 2 items, with uri:
https://www.google.com/url?q=3Dhttps://buttercup.pw
https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.pw
Go to the OPAC detail page of the bib record, see that the links are
displayed how you entered them.
Click on them and confirm that the uri/page is correct
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============1176608350354808146==--
From bugzilla-daemon@bugs.koha-community.org Sat May 4 17:28:05 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Sat, 04 May 2019 15:28:02 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0727096661730157052=="
--===============0727096661730157052==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|oleonard@myacpl.org |jonathan.druart@bugs.koha-c
| |ommunity.org
Status|NEW |In Discussion
--- Comment #12 from Jonathan Druart ---
Here is a patch for discussion, could you confirm it fixes the issues you
faced?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============0727096661730157052==--
From bugzilla-daemon@bugs.koha-community.org Mon Nov 11 03:32:17 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 11 Nov 2019 02:32:16 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6558967197960945925=="
--===============6558967197960945925==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #13 from David Cook ---
(In reply to Jonathan Druart from comment #12)
> Here is a patch for discussion, could you confirm it fixes the issues you
> faced?
Apologies for the delay, Jonathan.
I have too many other priorities at the moment, so I probably won't be testing
this or following up for a long time.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6558967197960945925==--
From bugzilla-daemon@bugs.koha-community.org Wed Jul 29 23:37:44 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 29 Jul 2020 21:37:44 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4947017305330376648=="
--===============4947017305330376648==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Lucas Gass changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lucas@bywatersolutions.com
--- Comment #14 from Lucas Gass ---
I ran into this problem today with double encoded URL parameters if
OPACURLOpenInNewWindow is turned on. Not sure why this is In Discussion, I
tested Jonathan's patch (which needs rebased) and it seems to work.
--
You are receiving this mail because:
You are watching all bug changes.
--===============4947017305330376648==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 06:31:35 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 04:31:33 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1666165403524510967=="
--===============1666165403524510967==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #15 from David Cook ---
(In reply to Lucas Gass from comment #14)
> I ran into this problem today with double encoded URL parameters if
> OPACURLOpenInNewWindow is turned on. Not sure why this is In Discussion, I
> tested Jonathan's patch (which needs rebased) and it seems to work.
I think Jonathan probably put it as "In Discussion" as it was a POC to him.
Looking at the code... I don't really like this patch as it's trying to undo
double-encoding (rather than just not double-encoding in the first place).
--
You are receiving this mail because:
You are watching all bug changes.
--===============1666165403524510967==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 06:34:14 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 04:34:13 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7919413823457321363=="
--===============7919413823457321363==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #16 from David Cook ---
I think removing the "url" filter seems like the more reasonable solution to
me.
In this case, the ITEM_RESULT.uri is coming from a stored record in the staff
interface, so we don't really need to filter unauthenticated untrusted user
input.
That said, an authenticated user with cataloguing privileges could put in
malicious Javascript into a 856$u subfield. (Then again, an authenticated user
with admin privileges could put malicious Javascript into OpacUserJS, so an
authenticated staff interface user is always a bit of a risk.)
--
You are receiving this mail because:
You are watching all bug changes.
--===============7919413823457321363==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:09:35 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 05:09:34 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6824865684391277683=="
--===============6824865684391277683==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #17 from David Cook ---
Consider the following excerpt from the URI standard
https://tools.ietf.org/html/std66#section-3.4:
"However, as query components are often used to carry identifying information
in the form of "key=value" pairs and one frequently used value is a reference
to another URI, it is sometimes better for usability to avoid percent-encoding
those characters."
It seems like the standard itself (from 2005) mentions that URI encoding query
components indiscriminately can be problematic.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6824865684391277683==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:15:38 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 05:15:37 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6644014151613198004=="
--===============6644014151613198004==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #18 from David Cook ---
Template Toolkit uses RFC 2396 (from 1998) for the url filter.
Looking at RFC 2396 https://tools.ietf.org/html/rfc2396#section-2.4.2:
"Data must be escaped if it does not have a representation using an unreserved
character"
However, it also says the following:
"A URI is always in an "escaped" form, since escaping or unescaping a complet=
ed
URI might change its semantics. Normally, the only time escape encodings can
safely be made is when the URI is being created from its component parts; each
component may have its own set of characters that are reserved, so only the
mechanism responsible for generating or interpreting that component can
determine whether or not escaping a character will change its semantics.
Likewise, a URI must be separated into its components before the escaped
characters within those components can be safely decoded."
Note also the following:
"Because the percent "%" character always has the reserved purpose of being t=
he
escape indicator, it must be escaped as "%25" in order to be used as data
within a URI. Implementers should be careful not to escape or unescape the
same string more than once, since unescaping an already unescaped string might
lead to misinterpreting a percent data character as another escaped character,
or vice versa in the case of escaping an already escaped string."
Template Toolkit have changed the behaviour of the "uri" and "url" filters ov=
er
time (http://www.template-toolkit.org/docs/manual/Filters.html#section_url). I
think they also haven't interpreted RFC3986 correctly in regards to the double
quote character...
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============6644014151613198004==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:26:46 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 05:26:45 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2259277562222838428=="
--===============2259277562222838428==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #19 from David Cook ---
Actually, after re-reading those specifications, I think maybe we *should* ke=
ep
the "url" filter in the Template Toolkit template.
If we consider the staff interface to be the "URI producer", then technically
the problem is with storing URLs that contain encoded information.
That said, maybe we would be better off storing encoded URLs in MARC 856$u, a=
nd
then either passing those through to the interface with $raw, or decoding on
the backend and then re-encoding using Template Toolkit.=20
Technically, https://www.loc.gov/marc/bibliographic/bd856.html doesn't say
anything about percent encoding, although all the examples contain percent
encoded examples.=20
That goes back to the URI standard that says a URI is always "encoded". Maybe
we should be decoding it prior to putting it through the filter.
Let me have a think about that...
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============2259277562222838428==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:45:34 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 05:45:33 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6339921131667760189=="
--===============6339921131667760189==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #20 from David Cook ---
Consider the following code:
#!/usr/bin/perl
use strict;
use warnings;
use URI::Escape;
use Template;
my $one = uri_unescape('https://www.google.com/url?q=https://buttercup.pw"');
my $two =
uri_unescape('https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw%22');
my $template = Template->new();
my $output;
$template->process( \*DATA, { one => $one, two => $two }, \$output );
warn $output;
__DATA__
[% one | url %]
[% two | url %]
Consider the output:
https://www.google.com/url?q=https://buttercup.pw%22
https://www.google.com/url?q=https://buttercup.pw%22
Actually... while that *looks* good... that's not necessarily correct, because
the "correct" URL is actually
https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw%22
That said... the end-target will uri_unescape the value of the "q" key anyway,
so it shouldn't matter. Plus the URI standard says you may choose not to
percent encode the query component due to usability concerns...
But our test cases might also be overly simplistic. I wonder if I have any
real-life complex URLs for digital resources laying around...
--
You are receiving this mail because:
You are watching all bug changes.
--===============6339921131667760189==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:07:46 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 06:07:45 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2472252173606734432=="
--===============2472252173606734432==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #21 from David Cook ---
Actually, I'm going back to thinking that the "url" filter should be removed =
in
this case.
The 2005 URI standard says at https://tools.ietf.org/html/std66#section-2.4
that "the only time when octets within a URI are percent-encoded is during the
process of producing the URI from its component parts. This is when an
implementation determines which of the reserved characters are to be used as
subcomponent delimiters and which can be safely used as data. Once produced,=
a
URI is always in its percent-encoded form."
This is the only safe time to do the uri encoding.
And if you look at the "uri" filter for Template Toolkit at
http://www.template-toolkit.org/docs/manual/Filters.html#section_uri, that's
how they use the do percent-encoding for URIs. That is, building a URI from i=
ts
component parts and doing the escaping at those points.
The "url" filter for encoding whole URLs in Template Toolkit is highly
problematic. I can certainly get the appeal. After all, say someone submits a
URL to a web form and you want to show them their URL on the response page.
Technically speaking, a person should decompose the URL, and then rebuild it
from its component parts. The "url" filter is a convenient mechanism, but it
seems technically incorrect.
So we maybe shouldn't use the "url" filter... but we need to do *something*. =
The 2005 URI standard is dogmatic. Practically speaking, Koha is given whole
URLs by library staff members. It's not building URIs itself from component
parts.=20
In theory, the library staff members should be passing in URLs that are alrea=
dy
encoded, but in practice that is unlikely to happen, unless they're
copying/pasting from somewhere else, and even then it may be hit or miss.
In theory, we shouldn't be encoding the URL at the template level since it
should already be encoded when it was created... but as above... we can't tru=
st
that.=20
Perhaps we should implement our own filter that first parses the URI and then
decodes its component parts before re-encoding its component parts.=20
Of course, https://tools.ietf.org/html/std66#section-2.4 also says
"Implementations must not percent-encode or decode the same string more than
once, as decoding an already decoded string might lead to misinterpreting a
percent data octet as the beginning of a percent-encoding, or vice versa in t=
he
case of percent-encoding an already percent-encoded string."
So... technically speaking this is kind of unsolvable in terms of strict
adherence to the standard?=20
The problem being of course the human element. If we were mechanically buildi=
ng
URLs, encoding them, sending them, decoding them, and using them... it would
all be fine.=20
The problem is human input.=20
With the OPAC, we might accept a URL but it would just be as text data. But
with the staff interface, we're actually using it in HTML...=20
The most practical option in my mind is to just not use the "url" filter on
this field, because I think that we sort of have to assume that the librarian
has put in a properly encoded URL in the first place.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============2472252173606734432==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:33:49 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 06:33:47 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2335553210856961561=="
--===============2335553210856961561==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #22 from David Cook ---
But... doing nothing is also risky.
I suppose we could validate that it's actually a URL, but that's easy to
bypass.
But we can't re-encode the URI components either because that could compromise
the semantics of the URL.
I suppose one could argue that it's better to compromise the semantics of a
good URL than to permit an unchallenged bad URL.
We could also check URLs for characters outside the "unreserved character"
list, and percent-encode if we find any (by percent encoding components rather
than using the "url" filter). You could get false positives but that's better
than a false negative.
That should prevent XSS and allow through properly encoded URLs (e.g.
"https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com").
--
You are receiving this mail because:
You are watching all bug changes.
--===============2335553210856961561==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:38:04 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 06:38:03 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0522899947298523268=="
--===============0522899947298523268==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #23 from David Cook ---
(In reply to David Cook from comment #22)
> We could also check URLs for characters outside the "unreserved character"
> list, and percent-encode if we find any (by percent encoding components
> rather than using the "url" filter). You could get false positives but
> that's better than a false negative.
>
> That should prevent XSS and allow through properly encoded URLs (e.g.
> "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com").
Except that I'm wrong. It wouldn't allow through properly encoded URLs because
% is not an "unreserved character".
But as I said in
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c8 that's why
URI "find all funny characters and encode the bytes" when the characters are
not reserved, not unreserved, and not a % sign:
https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L80
--
You are receiving this mail because:
You are watching all bug changes.
--===============0522899947298523268==--
From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:44:19 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 30 Jul 2020 06:44:18 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8078626143076916147=="
--===============8078626143076916147==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #24 from David Cook ---
Consider the following code:
#!/usr/bin/perl
use strict;
use warnings;
use URI;
use Template;
my $one =3D
URI->new('https://www.google.com/url?q=3Dhttps://buttercup.pw">new('https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.=
pw');
my $template =3D Template->new();
my $output;
$template->process( \*DATA, { one =3D> $one, two =3D> $two }, \$output );
warn $output;
__DATA__
[% one %]
[% two %]
Consider the following output:
https://www.google.com/url?q=3Dhttps://buttercup.pw%22%3E%3C/a%3E%3Cinjection=
%3E%3C/injection%3E%3Ca%20href=3D%22
https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.pw
In this case it's let the correctly percent encoded URL through, but it's also
encoded the malicious URL.
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============8078626143076916147==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 11 18:03:39 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 11 Aug 2020 16:03:38 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3506733206974475704=="
--===============3506733206974475704==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Margaret changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |margaret@bywatersolutions.c
| |om
--
You are receiving this mail because:
You are watching all bug changes.
--===============3506733206974475704==--
From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:09 2021
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 13 Oct 2021 10:07:08 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9110055081064084515=="
--===============9110055081064084515==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #89352|0 |1
is obsolete| |
--- Comment #25 from Jonathan Druart ---
Created attachment 126174
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=126174&action=edit
Bug 22223: Try to not double encoded URIs in items.uri
This is just a POC and is not ready for inclusion (Filter.pm and naming
need to be discussed).
Test plan:
Create 2 items, with uri:
https://www.google.com/url?q=https://buttercup.pw
https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw
Go to the OPAC detail page of the bib record, see that the links are
displayed how you entered them.
Click on them and confirm that the uri/page is correct
--
You are receiving this mail because:
You are watching all bug changes.
--===============9110055081064084515==--
From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:26 2021
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 13 Oct 2021 10:07:26 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6966793837779271629=="
--===============6966793837779271629==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #26 from Jonathan Druart ---
Patch rebased.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6966793837779271629==--
From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:51 2021
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 13 Oct 2021 10:07:40 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6216867205445645172=="
--===============6216867205445645172==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |severine.queune@bulac.fr
--- Comment #27 from Jonathan Druart ---
*** Bug 29208 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching all bug changes.
--===============6216867205445645172==--
From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 13:02:05 2021
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 13 Oct 2021 11:02:05 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4494043575416565916=="
--===============4494043575416565916==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Marcel de Rooy changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |m.de.rooy@rijksmuseum.nl
--
You are receiving this mail because:
You are watching all bug changes.
--===============4494043575416565916==--
From bugzilla-daemon@bugs.koha-community.org Thu Oct 14 11:12:28 2021
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 14 Oct 2021 09:12:27 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1710774555710111003=="
--===============1710774555710111003==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #28 from Séverine Queune ---
Hi Jonathan,
Sorry for the duplicate, I searched in Bugzilla before I open my bug but it
seems I didn't use good keywords...
I tried to apply your POC on Biblibre's sandbox, but I get a "503 Service
Unavailable".
The patch correctly applies on ByWater's sandbox and it works pretty well !
I did my part, so I let you devs discuss about the points you mentioned :)
Thanks !
--
You are receiving this mail because:
You are watching all bug changes.
--===============1710774555710111003==--
From bugzilla-daemon@bugs.koha-community.org Tue Mar 22 15:47:25 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 22 Mar 2022 14:47:24 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3532408131922102032=="
--===============3532408131922102032==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|In Discussion |Signed Off
--
You are receiving this mail because:
You are watching all bug changes.
--===============3532408131922102032==--
From bugzilla-daemon@bugs.koha-community.org Tue Mar 22 15:47:35 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 22 Mar 2022 14:47:29 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7939843302202859376=="
--===============7939843302202859376==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #126174|0 |1
is obsolete| |
--- Comment #29 from Jonathan Druart ---
Created attachment 132027
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=132027&action=edit
Bug 22223: Try to not double encoded URIs in items.uri
This is just a POC and is not ready for inclusion (Filter.pm and naming
need to be discussed).
Test plan:
Create 2 items, with uri:
https://www.google.com/url?q=https://buttercup.pw
https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw
Go to the OPAC detail page of the bib record, see that the links are
displayed how you entered them.
Click on them and confirm that the uri/page is correct
Signed-off-by: Séverine Queune
--
You are receiving this mail because:
You are watching all bug changes.
--===============7939843302202859376==--
From bugzilla-daemon@bugs.koha-community.org Wed Apr 20 15:20:44 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 20 Apr 2022 13:20:43 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7129524958604827747=="
--===============7129524958604827747==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tomascohen@gmail.com
--- Comment #30 from Tomás Cohen Arazi ---
Do you need this?
use Template::Plugin::Filter;
--
You are receiving this mail because:
You are watching all bug changes.
--===============7129524958604827747==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 15:55:29 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 13:55:28 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0676759296214680684=="
--===============0676759296214680684==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #31 from Jonathan Druart ---
Nope. It's a common mistake in Koha/Template/Plugin/, certainly coming from a
copy/paste.
--
You are receiving this mail because:
You are watching all bug changes.
--===============0676759296214680684==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:01:53 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 14:01:51 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4395166744246970326=="
--===============4395166744246970326==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #132027|0 |1
is obsolete| |
--- Comment #32 from Jonathan Druart ---
Created attachment 133567
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133567&action=edit
Bug 22223: Try to not double encoded URIs in items.uri
This is just a POC and is not ready for inclusion (Filter.pm and naming
need to be discussed).
Test plan:
Create 2 items, with uri:
https://www.google.com/url?q=https://buttercup.pw
https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw
Go to the OPAC detail page of the bib record, see that the links are
displayed how you entered them.
Click on them and confirm that the uri/page is correct
Signed-off-by: Séverine Queune
JD amended patch:
* Remove use Template::Plugin::Filter;
* Fix license statement
--
You are receiving this mail because:
You are watching all bug changes.
--===============4395166744246970326==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:49:56 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 14:49:55 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3304677253143630873=="
--===============3304677253143630873==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Passed QA
--
You are receiving this mail because:
You are watching all bug changes.
--===============3304677253143630873==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:50:06 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 14:49:59 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6393146029346166669=="
--===============6393146029346166669==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #133567|0 |1
is obsolete| |
--
You are receiving this mail because:
You are watching all bug changes.
--===============6393146029346166669==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:00:19 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 15:00:18 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4022508776141521577=="
--===============4022508776141521577==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Passed QA |Signed Off
--
You are receiving this mail because:
You are watching all bug changes.
--===============4022508776141521577==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:00:59 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 15:00:34 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5603914233437507188=="
--===============5603914233437507188==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #133567|1 |0
is obsolete| |
--
You are receiving this mail because:
You are watching all bug changes.
--===============5603914233437507188==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:01:48 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 15:01:47 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1362045256213270249=="
--===============1362045256213270249==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #33 from Tomás Cohen Arazi ---
Can you provide some regression tests for this?
--
You are receiving this mail because:
You are watching all bug changes.
--===============1362045256213270249==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:45:37 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 15:45:36 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5499151389753166352=="
--===============5499151389753166352==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #34 from Jonathan Druart ---
Created attachment 133578
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133578&action=edit
Bug 22223: Add tests
--
You are receiving this mail because:
You are watching all bug changes.
--===============5499151389753166352==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:11:59 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:11:58 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0269280789667130985=="
--===============0269280789667130985==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
QA Contact|testopia@bugs.koha-communit |tomascohen@gmail.com
|y.org |
--
You are receiving this mail because:
You are watching all bug changes.
--===============0269280789667130985==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:23 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:16:17 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6163941671945138473=="
--===============6163941671945138473==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Passed QA
Patch complexity|--- |Trivial patch
--
You are receiving this mail because:
You are watching all bug changes.
--===============6163941671945138473==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:34 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:16:20 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6352830393067045515=="
--===============6352830393067045515==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #133578|0 |1
is obsolete| |
--
You are receiving this mail because:
You are watching all bug changes.
--===============6352830393067045515==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:44 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:16:24 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0150971730136644396=="
--===============0150971730136644396==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #133567|0 |1
is obsolete| |
--
You are receiving this mail because:
You are watching all bug changes.
--===============0150971730136644396==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:17:00 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:16:59 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1546962650024024863=="
--===============1546962650024024863==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #35 from Tomás Cohen Arazi ---
Created attachment 133589
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133589&action=edit
Bug 22223: Try to not double encoded URIs in items.uri
This is just a POC and is not ready for inclusion (Filter.pm and naming
need to be discussed).
Test plan:
Create 2 items, with uri:
https://www.google.com/url?q=https://buttercup.pw
https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw
Go to the OPAC detail page of the bib record, see that the links are
displayed how you entered them.
Click on them and confirm that the uri/page is correct
Signed-off-by: Séverine Queune
JD amended patch:
* Remove use Template::Plugin::Filter;
* Fix license statement
Signed-off-by: Tomas Cohen Arazi
--
You are receiving this mail because:
You are watching all bug changes.
--===============1546962650024024863==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:17:10 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:17:05 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1525908121230677604=="
--===============1525908121230677604==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #36 from Tomás Cohen Arazi ---
Created attachment 133590
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133590&action=edit
Bug 22223: Add tests
Signed-off-by: Tomas Cohen Arazi
Edit: fixed tests count
--
You are receiving this mail because:
You are watching all bug changes.
--===============1525908121230677604==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:20:35 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 21 Apr 2022 16:20:34 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5512579496564372783=="
--===============5512579496564372783==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #37 from Tomás Cohen Arazi ---
(In reply to Jonathan Druart from comment #34)
> Created attachment 133578 [details] [review]
> Bug 22223: Add tests
Great job, thanks
--
You are receiving this mail because:
You are watching all bug changes.
--===============5512579496564372783==--
From bugzilla-daemon@bugs.koha-community.org Mon Apr 25 21:53:53 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 25 Apr 2022 19:53:49 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8522573334140846519=="
--===============8522573334140846519==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Fridolin Somers changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fridolin.somers@biblibre.co
| |m
--- Comment #38 from Fridolin Somers ---
> This is just a POC
No push to master then ?
--
You are receiving this mail because:
You are watching all bug changes.
--===============8522573334140846519==--
From bugzilla-daemon@bugs.koha-community.org Wed Apr 27 14:02:47 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 27 Apr 2022 12:02:45 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3808828932835417813=="
--===============3808828932835417813==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #39 from Jonathan Druart ---
(In reply to Fridolin Somers from comment #38)
> > This is just a POC
> No push to master then ?
It *was* a POC, if everybody is happy with the patch I guess you can push it.
--
You are receiving this mail because:
You are watching all bug changes.
--===============3808828932835417813==--
From bugzilla-daemon@bugs.koha-community.org Wed Apr 27 21:44:05 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 27 Apr 2022 19:44:04 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8016970843017959334=="
--===============8016970843017959334==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #40 from Fridolin Somers ---
That code looks very strange to me.
Naming a TT filter 'Filter'.
I would prefer to see syntax : [% var | $NoDoubleEncode %]
Like TT plugin Price.
Class is using :
Base qw( Template::Plugin::Filter )
But does not implement a 'filter' method.
--
You are receiving this mail because:
You are watching all bug changes.
--===============8016970843017959334==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 28 01:18:00 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 27 Apr 2022 23:17:59 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3763916995128492284=="
--===============3763916995128492284==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #41 from David Cook ---
(In reply to Fridolin Somers from comment #40)
> That code looks very strange to me.
> Naming a TT filter 'Filter'.
>
> I would prefer to see syntax : [% var | $NoDoubleEncode %]
> Like TT plugin Price.
>
> Class is using :
> Base qw( Template::Plugin::Filter )
> But does not implement a 'filter' method.
I think a good alternative would be what I suggest at
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c7 as well.
--
You are receiving this mail because:
You are watching all bug changes.
--===============3763916995128492284==--
From bugzilla-daemon@bugs.koha-community.org Thu Apr 28 09:08:21 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 28 Apr 2022 07:08:20 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6569895051749568060=="
--===============6569895051749568060==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|jonathan.druart+koha@gmail. |oleonard@myacpl.org
|com |
Status|Passed QA |In Discussion
--- Comment #42 from Jonathan Druart ---
(In reply to Fridolin Somers from comment #40)
> That code looks very strange to me.
> Naming a TT filter 'Filter'.
>
> I would prefer to see syntax : [% var | $NoDoubleEncode %]
> Like TT plugin Price.
>
> Class is using :
> Base qw( Template::Plugin::Filter )
> But does not implement a 'filter' method.
The idea was to have a module that would deal with other encode/decode, or
replacements functions.
I still think it is a good idea.
I don't have more time to dedicate to this patch unfortunately.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6569895051749568060==--
From bugzilla-daemon@bugs.koha-community.org Tue Dec 6 06:21:27 2022
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 06 Dec 2022 05:21:24 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6352652056349408967=="
--===============6352652056349408967==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nick@bywatersolutions.com
--- Comment #43 from David Cook ---
*** Bug 23535 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching all bug changes.
--===============6352652056349408967==--
From bugzilla-daemon@bugs.koha-community.org Mon Aug 19 18:16:29 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 19 Aug 2024 16:16:28 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7852767479556554062=="
--===============7852767479556554062==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Laura Escamilla changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Laura.escamilla@bywatersolu
| |tions.com
--- Comment #44 from Laura Escamilla -=
--
+1 still an ongoing issue!
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============7852767479556554062==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 01:51:27 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 19 Aug 2024 23:51:26 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3946628881495252968=="
--===============3946628881495252968==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #45 from David Cook ---
It looks like it's no longer an issue in the staff interface since we're now
constructing this HTML using Javascript in
koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_=
detail.inc
and we're using our homemade escape function.
I'd prefer we created the elements using objects rather than strings and using
escape_str, but it escapes the XSS and doesn't double-encode a simple URL, so
it seems good enough.
The OPAC is still a problem. I'm going to try something...
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============3946628881495252968==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:09 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 00:28:08 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7561985016235396330=="
--===============7561985016235396330==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|In Discussion |Needs Signoff
--
You are receiving this mail because:
You are watching all bug changes.
--===============7561985016235396330==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:19 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 00:28:11 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3120442430308298079=="
--===============3120442430308298079==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #133589|0 |1
is obsolete| |
Attachment #133590|0 |1
is obsolete| |
--- Comment #46 from David Cook ---
Created attachment 170485
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170485&action=edit
Bug 22223: Add filter to make item URLs safe in template output
This change adds a "safe_url" filter which takes a text input and
returns a Perl URL object which stringifies to a safe URL.
This change is only needed in the OPAC as the staff interface
handles the item URL display using Javascript not Template Toolkit.
0. Apply patch and koha-plack --restart kohadev
1. Create an item for a record using the following URL
https://koha-community.org?url=https%3A%2F%2Fkoha-community.org
2. Go to the OPAC for that record and verify that the URL is
not double-escaped
3. Create a malicious payload (talk to QA/security team for this if necessary)
4. Note that the malicious payload is escaped
5. prove t/Koha/Plugins/SafeURL.t
6. Celebrate!
--
You are receiving this mail because:
You are watching all bug changes.
--===============3120442430308298079==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:45 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 00:28:45 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2825929440343172380=="
--===============2825929440343172380==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #47 from David Cook ---
I've obsoleted Jonathan's patches as they won't apply anymore, but I took
inspiration from his patches.
--
You are receiving this mail because:
You are watching all bug changes.
--===============2825929440343172380==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:29:15 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 00:29:14 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2072772942826144396=="
--===============2072772942826144396==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #48 from David Cook ---
QA note:
FAIL koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
FAIL filters
missing_filter at line 1366 ( =
=20
[% uri | html %])
missing_filter at line 1373 ( =
)
So... either we need to add a $raw filter after "safe_url" or we need to upda=
te
the QA tools to deal with this new "safe_url" filter?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============2072772942826144396==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:53:04 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 00:53:02 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5994628283923485254=="
--===============5994628283923485254==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.koha-community
| |.org/bugzilla3/show_bug.cgi
| |?id=37681
--
You are receiving this mail because:
You are watching all bug changes.
--===============5994628283923485254==--
From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 03:10:00 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 20 Aug 2024 01:09:59 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4170700259238392457=="
--===============4170700259238392457==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|oleonard@myacpl.org |dcook@prosentient.com.au
--
You are receiving this mail because:
You are watching all bug changes.
--===============4170700259238392457==--
From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 20:54:50 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 21 Aug 2024 18:54:49 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1716529637865096850=="
--===============1716529637865096850==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Gretchen Maxeiner changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |maxeinergl@gcc.edu
--- Comment #49 from Gretchen Maxeiner ---
Hello, we are a library experiencing this issue and I was directed to this
ticket. I'm out of my depth on this discussion but I see an assumption that
this only affects the OPAC, not the staff interface. This is not true for us =
--
so I wanted to add that we see it both places.=20
Our scenario is this: Links in the MARC 856 sometimes contain a space (these
links are generated out of a SharePoint where spaces are permitted in naming).
These records are then used in Course Reserves. If you try to access the URL
from the reserve title list within a course the "Record URL" link fails for
these. The "Record URL" link is available for course reserves in both the OPAC
and Staff interface, and fails both places.
Thank you all for looking into and working on this issue!
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============1716529637865096850==--
From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:17 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 21 Aug 2024 19:25:16 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7266237544693535922=="
--===============7266237544693535922==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #50 from Lucas Gass ---
(In reply to Gretchen Maxeiner from comment #49)
> Hello, we are a library experiencing this issue and I was directed to this
> ticket. I'm out of my depth on this discussion but I see an assumption that
> this only affects the OPAC, not the staff interface. This is not true for us
> -- so I wanted to add that we see it both places.
>
> Our scenario is this: Links in the MARC 856 sometimes contain a space (these
> links are generated out of a SharePoint where spaces are permitted in
> naming). These records are then used in Course Reserves. If you try to
> access the URL from the reserve title list within a course the "Record URL"
> link fails for these. The "Record URL" link is available for course reserves
> in both the OPAC and Staff interface, and fails both places.
>
> Thank you all for looking into and working on this issue!
Thanks for your input, Gretchen. David's patch will make it pretty easy to
apply this safe_url filter to other places in Koha, like course reserves.
I'm going to sign-off here because this works good. As for the QA script, I
think it's better to update the script.
--
You are receiving this mail because:
You are watching all bug changes.
--===============7266237544693535922==--
From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:45 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 21 Aug 2024 19:25:44 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6563141716414825691=="
--===============6563141716414825691==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Lucas Gass changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Needs Signoff |Signed Off
--
You are receiving this mail because:
You are watching all bug changes.
--===============6563141716414825691==--
From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:55 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 21 Aug 2024 19:25:47 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1842931226366267442=="
--===============1842931226366267442==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Lucas Gass changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #170485|0 |1
is obsolete| |
--- Comment #51 from Lucas Gass ---
Created attachment 170577
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170577&action=edit
Bug 22223: Add filter to make item URLs safe in template output
This change adds a "safe_url" filter which takes a text input and
returns a Perl URL object which stringifies to a safe URL.
This change is only needed in the OPAC as the staff interface
handles the item URL display using Javascript not Template Toolkit.
0. Apply patch and koha-plack --restart kohadev
1. Create an item for a record using the following URL
https://koha-community.org?url=https%3A%2F%2Fkoha-community.org
2. Go to the OPAC for that record and verify that the URL is
not double-escaped
3. Create a malicious payload (talk to QA/security team for this if necessary)
4. Note that the malicious payload is escaped
5. prove t/Koha/Plugins/SafeURL.t
6. Celebrate!
Signed-off-by: Lucas Gass
--
You are receiving this mail because:
You are watching all bug changes.
--===============1842931226366267442==--
From bugzilla-daemon@bugs.koha-community.org Thu Oct 31 19:18:26 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 31 Oct 2024 18:18:24 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7462164603896152325=="
--===============7462164603896152325==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Tomás Cohen Arazi (tcohen) changed:
What |Removed |Added
----------------------------------------------------------------------------
QA Contact|tomascohen@gmail.com |jonathan.druart@gmail.com
--- Comment #52 from Tomás Cohen Arazi (tcohen) ---
I like what I read, it works. I would like Jonathan's feedback.
--
You are receiving this mail because:
You are watching all bug changes.
--===============7462164603896152325==--
From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 14:26:40 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 04 Nov 2024 13:26:38 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6491261395629511600=="
--===============6491261395629511600==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
Paul Derscheid changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |paul.derscheid@lmscloud.de
--- Comment #53 from Paul Derscheid ---
Just ran the koha-qa on this. Is this a false positive?
FAIL koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
FAIL filters
missing_filter at line 1372 ( =
=20
[% uri | html %])
missing_filter at line 1379 ( =
)
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============6491261395629511600==--
From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 15:32:04 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 04 Nov 2024 14:32:03 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6160832639172814892=="
--===============6160832639172814892==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #54 from Tomás Cohen Arazi (tcohen) ---
(In reply to Paul Derscheid from comment #53)
> Just ran the koha-qa on this. Is this a false positive?
It is just we need to teach the QA tools about `safe_url`. False positive.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6160832639172814892==--
From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 23:41:46 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 04 Nov 2024 22:41:44 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3929389515873074135=="
--===============3929389515873074135==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223
--- Comment #55 from David Cook ---
(In reply to Tom=C3=A1s Cohen Arazi (tcohen) from comment #54)
> (In reply to Paul Derscheid from comment #53)
> > Just ran the koha-qa on this. Is this a false positive?
>=20
> It is just we need to teach the QA tools about `safe_url`. False positive.
I've only recently been learning about this. The built-in filter "xml" does t=
he
same thing, and I provided a patch for that on bug 21731. Would it be OK to
just do the same here?
--=20
You are receiving this mail because:
You are watching all bug changes.
--===============3929389515873074135==--
From bugzilla-daemon@bugs.koha-community.org Tue Nov 5 13:58:21 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Tue, 05 Nov 2024 12:58:20 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5581318853315788823=="
--===============5581318853315788823==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #56 from Tomás Cohen Arazi (tcohen) ---
(In reply to David Cook from comment #55)
> (In reply to Tomás Cohen Arazi (tcohen) from comment #54)
> > (In reply to Paul Derscheid from comment #53)
> > > Just ran the koha-qa on this. Is this a false positive?
> >
> > It is just we need to teach the QA tools about `safe_url`. False positive.
>
> I've only recently been learning about this. The built-in filter "xml" does
> the same thing, and I provided a patch for that on bug 21731. Would it be OK
> to just do the same here?
Yes.
--
You are receiving this mail because:
You are watching all bug changes.
--===============5581318853315788823==--
From bugzilla-daemon@bugs.koha-community.org Wed Nov 6 18:00:28 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 06 Nov 2024 17:00:26 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1739739215192715551=="
--===============1739739215192715551==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Phil Ringnalda changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.koha-community
| |.org/bugzilla3/show_bug.cgi
| |?id=38214
--
You are receiving this mail because:
You are watching all bug changes.
--===============1739739215192715551==--
From bugzilla-daemon@bugs.koha-community.org Wed Nov 6 18:01:08 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 06 Nov 2024 17:00:53 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7211796459616060201=="
--===============7211796459616060201==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Phil Ringnalda changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil@chetcolibrary.org
--
You are receiving this mail because:
You are watching all bug changes.
--===============7211796459616060201==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 02:38:05 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 01:38:03 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6089766937463047100=="
--===============6089766937463047100==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #57 from David Cook ---
Created attachment 174101
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174101&action=edit
Bug 22223: t::lib::QA::TemplateFilters missing built-in TT filter "safe_url"
causes false warnings
--
You are receiving this mail because:
You are watching all bug changes.
--===============6089766937463047100==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:08 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 08:49:07 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8865701369603246362=="
--===============8865701369603246362==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Passed QA
--
You are receiving this mail because:
You are watching all bug changes.
--===============8865701369603246362==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:19 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 08:49:11 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1895260613609117431=="
--===============1895260613609117431==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #170577|0 |1
is obsolete| |
Attachment #174101|0 |1
is obsolete| |
--- Comment #58 from Jonathan Druart ---
Created attachment 174104
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174104&action=edit
Bug 22223: Add filter to make item URLs safe in template output
This change adds a "safe_url" filter which takes a text input and
returns a Perl URL object which stringifies to a safe URL.
This change is only needed in the OPAC as the staff interface
handles the item URL display using Javascript not Template Toolkit.
0. Apply patch and koha-plack --restart kohadev
1. Create an item for a record using the following URL
https://koha-community.org?url=https%3A%2F%2Fkoha-community.org
2. Go to the OPAC for that record and verify that the URL is
not double-escaped
3. Create a malicious payload (talk to QA/security team for this if necessary)
4. Note that the malicious payload is escaped
5. prove t/Koha/Plugins/SafeURL.t
6. Celebrate!
Signed-off-by: Lucas Gass
Signed-off-by: Jonathan Druart
--
You are receiving this mail because:
You are watching all bug changes.
--===============1895260613609117431==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:29 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 08:49:14 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7363762352409429556=="
--===============7363762352409429556==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #59 from Jonathan Druart ---
Created attachment 174105
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174105&action=edit
Bug 22223: t::lib::QA::TemplateFilters missing built-in TT filter "safe_url"
causes false warnings
Signed-off-by: Jonathan Druart
--
You are receiving this mail because:
You are watching all bug changes.
--===============7363762352409429556==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 16:32:38 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 15:32:36 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0386568832534891089=="
--===============0386568832534891089==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Katrin Fischer changed:
What |Removed |Added
----------------------------------------------------------------------------
Version(s)| |24.11.00
released in| |
Status|Passed QA |Pushed to main
--
You are receiving this mail because:
You are watching all bug changes.
--===============0386568832534891089==--
From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 16:32:48 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 07 Nov 2024 15:32:39 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0978219529676077039=="
--===============0978219529676077039==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #60 from Katrin Fischer ---
Pushed for 24.11!
Well done everyone, thank you!
--
You are receiving this mail because:
You are watching all bug changes.
--===============0978219529676077039==--
From bugzilla-daemon@bugs.koha-community.org Fri Nov 22 04:46:26 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Fri, 22 Nov 2024 03:46:24 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8184973291956925454=="
--===============8184973291956925454==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
David Cook changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.koha-community
| |.org/bugzilla3/show_bug.cgi
| |?id=38467
--
You are receiving this mail because:
You are watching all bug changes.
--===============8184973291956925454==--
From bugzilla-daemon@bugs.koha-community.org Thu Dec 5 22:39:23 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 05 Dec 2024 21:39:22 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8409712828960983386=="
--===============8409712828960983386==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Lucas Gass (lukeg) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Pushed to main |Pushed to stable
Version(s)|24.11.00 |24.11.00,24.05.06
released in| |
--- Comment #61 from Lucas Gass (lukeg) ---
Backported to 24.05.x for upcoming 24.05.06
--
You are receiving this mail because:
You are watching all bug changes.
--===============8409712828960983386==--
From bugzilla-daemon@bugs.koha-community.org Thu Dec 5 22:39:33 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 05 Dec 2024 21:39:28 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2404254089447662670=="
--===============2404254089447662670==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Lucas Gass (lukeg) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Pushed to stable |Pushed to oldstable
--
You are receiving this mail because:
You are watching all bug changes.
--===============2404254089447662670==--
From bugzilla-daemon@bugs.koha-community.org Wed Dec 18 10:55:07 2024
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Wed, 18 Dec 2024 09:55:04 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8208100546781774610=="
--===============8208100546781774610==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Fridolin Somers changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Pushed to oldstable |Pushed to oldoldstable
Version(s)|24.11.00,24.05.06 |24.11.00,24.05.06,23.11.11
released in| |
--- Comment #62 from Fridolin Somers ---
Pushed to 23.11.x for 23.11.11
--
You are receiving this mail because:
You are watching all bug changes.
--===============8208100546781774610==--
From bugzilla-daemon@bugs.koha-community.org Thu Jan 23 13:08:49 2025
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Thu, 23 Jan 2025 12:08:48 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0439060833931217297=="
--===============0439060833931217297==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Chris Rowlands changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chris.rowlands6@nhs.net
--
You are receiving this mail because:
You are watching all bug changes.
--===============0439060833931217297==--
From bugzilla-daemon@bugs.koha-community.org Mon Feb 3 17:33:36 2025
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an
encoded URL
Date: Mon, 03 Feb 2025 16:33:35 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6948038621932190051=="
--===============6948038621932190051==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
Jesse Maseto changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|Pushed to oldoldstable |RESOLVED
CC| |jesse@bywatersolutions.com
--- Comment #63 from Jesse Maseto ---
Not pushed to LTS. Marked Resolved.
If you feel this should be in LTS please reply with your reason.
--
You are receiving this mail because:
You are watching all bug changes.
--===============6948038621932190051==--