From bugzilla-daemon@bugs.koha-community.org Tue Jan 29 06:14:56 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] New: Item url double-encode when parameter is an encoded URL Date: Tue, 29 Jan 2019 05:14:25 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5181389270806066892==" --===============5181389270806066892== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Bug ID: 22223 Summary: Item url double-encode when parameter is an encoded URL Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org Target Milestone: --- The following use of the "url" filter is problematic: [% IF Koha.Preference("OPACURLOpenInNewWindow") %] [% ITEM_RESULT.uri | html %] [% ELSE %] [% ITEM_RESULT.uri |= html %] [% END %] If ITEM_RESULT.uri is "https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com", then the percent signs in the argument to the "redirect_url" parameters will be encoded incorrectly and the result will be "https://idp.com?redirect_url=3Dhttps%253A%252F%252Fsomewhere_else.com", whic= h is obviously an invalid URL.=20 Can we really expect that no one will ever include a URL with URI encoded parameters? --=20 You are receiving this mail because: You are watching all bug changes. --===============5181389270806066892==-- From bugzilla-daemon@bugs.koha-community.org Fri Feb 15 14:52:43 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Fri, 15 Feb 2019 13:52:40 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7168993595897900017==" --===============7168993595897900017== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org Depends on| |21526 --- Comment #1 from Jonathan Druart = --- Done with a script, see commit 582502644801b44595497caf6bbee449f0347238 Bug 21526: uri escape TT variables when used in 'a href' We may need to adjust some occurrences manually. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D21526 [Bug 21526] TT variables used to build a link should be uri filtered --=20 You are receiving this mail because: You are watching all bug changes. --===============7168993595897900017==-- From bugzilla-daemon@bugs.koha-community.org Mon Feb 18 05:39:48 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 18 Feb 2019 04:39:45 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3380122622738942589==" --===============3380122622738942589== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #2 from David Cook --- (In reply to Jonathan Druart from comment #1) > Done with a script, see > commit 582502644801b44595497caf6bbee449f0347238 > Bug 21526: uri escape TT variables when used in 'a href' > We may need to adjust some occurrences manually. I'm not sure what you're saying, Jonathan. Do you mean that the filter was added by the script and that we need to remove the filters manually? If so, what would prevent the filters from being re-added by a script in the future? -- You are receiving this mail because: You are watching all bug changes. --===============3380122622738942589==-- From bugzilla-daemon@bugs.koha-community.org Fri Feb 22 13:06:03 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Fri, 22 Feb 2019 12:06:00 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4514426660958431912==" --===============4514426660958431912== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #3 from Jonathan Druart = --- (In reply to David Cook from comment #2) > (In reply to Jonathan Druart from comment #1) > > Done with a script, see > > commit 582502644801b44595497caf6bbee449f0347238 > > Bug 21526: uri escape TT variables when used in 'a href' > > We may need to adjust some occurrences manually. >=20 > I'm not sure what you're saying, Jonathan. Do you mean that the filter was > added by the script and that we need to remove the filters manually? >=20 > If so, what would prevent the filters from being re-added by a script in the > future? Did you read the commit message and the bug description? I wrote a script to guess what needed to be escaped correctly, in , 'value' must be uri escaped, not html escap= ed. This is true in ~90% of the situations, others (specific cases) need to be handled separately and fixed manually. If you found one you can provide a patch and I will test it. --=20 You are receiving this mail because: You are watching all bug changes. --===============4514426660958431912==-- From bugzilla-daemon@bugs.koha-community.org Mon Feb 25 00:34:36 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Sun, 24 Feb 2019 23:34:06 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1794353751426621259==" --===============1794353751426621259== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #4 from David Cook --- (In reply to Jonathan Druart from comment #3) > Did you read the commit message and the bug description? No, I didn't look it up in Git. Like Stackoverflow, I think it makes sense to include the relevant content in the forum rather than sending people off somewhere else. Providing a link isn't the same thing as providing a response= .=20 > I wrote a script to guess what needed to be escaped correctly, in href=3D/uri?param=3D[% value %]>, 'value' must be uri escaped, not html esc= aped. >=20 I think you've misunderstood me. I'm saying "href=3D"[% ITEM_RESULT.uri | url= %]" is a problem because ITEM_RESULT.uri may already contain an escaped URL. For instance, "https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com". = If you run use a filter like [% ITEM_RESULT.uri | url %], that'll make it double-encoded which breaks the URL. It's a different use case. I'm not describing building a URL in the template. I'm talking about when an entire U= RL is already provided. Filtering it is problematic as you can't know how the URL data is already going to be handled. (Although a person could write a filter that parses the URL and escapes any unescaped parameters and rebuilds the URL, but that's also more work that I doubt anyone wants to do right now.) > This is true in ~90% of the situations, others (specific cases) need to be > handled separately and fixed manually. This is what I don't understand. I understand how the template can be fixed manually, but can you explain to me how the scripts for auto-adding filters will ignore manually fixed cases? *clicks through to https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D21526* Are you referring to use of $raw instead? I don't understand what you're tryi= ng to say.=20 > If you found one you can provide a patch and I will test it. This also confuses me. What do you mean by "one" here? --=20 You are receiving this mail because: You are watching all bug changes. --===============1794353751426621259==-- From bugzilla-daemon@bugs.koha-community.org Wed Feb 27 18:13:18 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 27 Feb 2019 17:13:16 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8124912347897996941==" --===============8124912347897996941== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Katrin Fischer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de --- Comment #5 from Katrin Fischer --- (In reply to David Cook from comment #4) > (In reply to Jonathan Druart from comment #3) > > Did you read the commit message and the bug description? >=20 > No, I didn't look it up in Git. Like Stackoverflow, I think it makes sense > to include the relevant content in the forum rather than sending people off > somewhere else. Providing a link isn't the same thing as providing a > response.=20 Commit message and bug description can both be viewed on bugzilla. The commit message is always supposed to contain the most current test plan, so it's oft= en helpful to start there. If I understand the issue correctly: Catalogers might copy escaped and unescaped URLs into 856$u/952$u/955? and th= at leaves us with the problem that we might not use the correct filter in the templates. What can we do here? Is there a way to determine safely, if an URL has already been escaped? I assume checking for something like % might work? --=20 You are receiving this mail because: You are watching all bug changes. --===============8124912347897996941==-- From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 04:42:17 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Feb 2019 03:42:14 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2233667937103478687==" --===============2233667937103478687== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #6 from David Cook --- (In reply to Katrin Fischer from comment #5) > If I understand the issue correctly: >=20 > Catalogers might copy escaped and unescaped URLs into 856$u/952$u/955? and > that leaves us with the problem that we might not use the correct filter in > the templates. >=20 I'd say that catalogers might copy URLs into 856$u/952$u/955? that have escap= ed values in the query string (actually there could also be escaped values in the path - this is common with URLs used in IIIF Image Servers like Loris*), and = we don't want to double-encode those values.=20 *Example Loris URL: http://loris.example.org/loris/1234%2F5678%2F90123.tif/info.json > What can we do here? Is there a way to determine safely, if an URL has > already been escaped? I assume checking for something like % might work? I don't know if there is a best practice for checking URL encoding. I don't think there is. When it comes to safety, I think we need to think about the origin of the value. It's not a public end user providing this value; it's an authorized staff member. If this were a CMS, we'd be trusting that the people providing the content for the CMS aren't embedding malicious Javascript, right? I mean.= .. if a staff member wanted to inject Javascript, they could use OpacUserJS. That said, OpacUserJS requires admin privileges. And maybe a less cautious cataloguer could import a MARCXML record with a malicious URL in it. --=20 You are receiving this mail because: You are watching all bug changes. --===============2233667937103478687==-- From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 04:53:30 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Feb 2019 03:53:27 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5403059213180488645==" --===============5403059213180488645== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #7 from David Cook --- I just removed the "url" filter from [% ITEM_RESULT.uri | url %], and I was able to exploit the XSS vulnerability by putting a malicious string into the "952$u" subfield via the Staff Client... Looking at https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), it tal= ks about how XSS occurs "anywhere a web application uses input from a user within the output it generates without validating or encoding it".=20 In the case of ITEM_RESULT.uri, I don't think that encoding it is the right solution. However, we could validate it by writing a custom Template::Toolkit filter to use Perl's URI module to ensure that it is actually a URL?=20 Trying to think about a valid URL that could also include a malicious payload... -- I just took a malicious string (perhaps best I don't share it publicly?) that exploits [% ITEM_RESULT.uri %] and put it through URI->new() and it escaped t= he malicious characters, which is good. I just put "https://idp.com?redirect_url=3Dhttps%3A%2F%2Fsomewhere_else.com" through URI->new() and it didn't modify it in any way, which is good. I just put "http://loris.example.org/loris/1234%2F5678%2F90123.tif/info.json" through URI->new() and it didn't modify it in any way, which is good.=20 I just put "https://idp.com?redirect_url=3Dhttps://somewhere_else.com" through URI->new() and it didn't modify it in any way, which is fine. --=20 You are receiving this mail because: You are watching all bug changes. --===============5403059213180488645==-- From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 05:20:29 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Feb 2019 04:19:59 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5216320709369800520==" --===============5216320709369800520== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #8 from David Cook --- Using some of the evasion strategies in https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) and Perl's URI->new() is handling it.=20 Ah we can see it at https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L= 81 I think. Basically it encodes everything that isn't in the following: our $reserved =3D q(;/?:@&=3D+$,[]); our $mark =3D q(-_.!~*'()); #'; emacs our $unreserved =3D "A-Za-z0-9\Q$mark\E"; our $uric =3D quotemeta($reserved) . $unreserved . "%"; Whereas http://template-toolkit.org/docs/manual/Filters.html#section_url encodes everything that is outside the permitted URI charactesrs from RFC 239= 6, except &, @, /, ;, :, =3D, +, ? and $.=20 The key thing is how the URI module doesn't encode the % sign.=20 (Of course reading http://template-toolkit.org/docs/manual/Filters.html#section_uri it says ("(", ")", "~", "*", "!" and the single quote "'") now need to be escaped according to RFC3986... and the URI module doesn't do that? --=20 You are receiving this mail because: You are watching all bug changes. --===============5216320709369800520==-- From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 05:22:01 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Feb 2019 04:21:58 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0130487819817946873==" --===============0130487819817946873== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #9 from David Cook --- I find it interesting that the double quote character is safe in RFC 3986... = as that's a character I use for crafting my malicious strings. --=20 You are receiving this mail because: You are watching all bug changes. --===============0130487819817946873==-- From bugzilla-daemon@bugs.koha-community.org Thu Feb 28 06:44:26 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Feb 2019 05:44:22 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3020345252918423451==" --===============3020345252918423451== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #10 from David Cook --- (In reply to David Cook from comment #9) > I find it interesting that the double quote character is safe in RFC 3986... > as that's a character I use for crafting my malicious strings. But in Template 2.28 it is still encoding the double quote character even though it says it doesn't need to... *shrug* -- You are receiving this mail because: You are watching all bug changes. --===============3020345252918423451==-- From bugzilla-daemon@bugs.koha-community.org Sat May 4 17:27:20 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Sat, 04 May 2019 15:27:17 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1176608350354808146==" --===============1176608350354808146== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #11 from Jonathan Druart --- Created attachment 89352 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=3D89352&action=3D= edit Bug 22223: Try to not double encoded URIs in items.uri This is just a POC and is not ready for inclusion (Filter.pm and naming need to be discussed). Test plan: Create 2 items, with uri: https://www.google.com/url?q=3Dhttps://buttercup.pw https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.pw Go to the OPAC detail page of the bib record, see that the links are displayed how you entered them. Click on them and confirm that the uri/page is correct --=20 You are receiving this mail because: You are watching all bug changes. --===============1176608350354808146==-- From bugzilla-daemon@bugs.koha-community.org Sat May 4 17:28:05 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Sat, 04 May 2019 15:28:02 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0727096661730157052==" --===============0727096661730157052== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|oleonard@myacpl.org |jonathan.druart@bugs.koha-c | |ommunity.org Status|NEW |In Discussion --- Comment #12 from Jonathan Druart --- Here is a patch for discussion, could you confirm it fixes the issues you faced? --=20 You are receiving this mail because: You are watching all bug changes. --===============0727096661730157052==-- From bugzilla-daemon@bugs.koha-community.org Mon Nov 11 03:32:17 2019 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 11 Nov 2019 02:32:16 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6558967197960945925==" --===============6558967197960945925== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #13 from David Cook --- (In reply to Jonathan Druart from comment #12) > Here is a patch for discussion, could you confirm it fixes the issues you > faced? Apologies for the delay, Jonathan. I have too many other priorities at the moment, so I probably won't be testing this or following up for a long time. -- You are receiving this mail because: You are watching all bug changes. --===============6558967197960945925==-- From bugzilla-daemon@bugs.koha-community.org Wed Jul 29 23:37:44 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 29 Jul 2020 21:37:44 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4947017305330376648==" --===============4947017305330376648== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Lucas Gass changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #14 from Lucas Gass --- I ran into this problem today with double encoded URL parameters if OPACURLOpenInNewWindow is turned on. Not sure why this is In Discussion, I tested Jonathan's patch (which needs rebased) and it seems to work. -- You are receiving this mail because: You are watching all bug changes. --===============4947017305330376648==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 06:31:35 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 04:31:33 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1666165403524510967==" --===============1666165403524510967== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #15 from David Cook --- (In reply to Lucas Gass from comment #14) > I ran into this problem today with double encoded URL parameters if > OPACURLOpenInNewWindow is turned on. Not sure why this is In Discussion, I > tested Jonathan's patch (which needs rebased) and it seems to work. I think Jonathan probably put it as "In Discussion" as it was a POC to him. Looking at the code... I don't really like this patch as it's trying to undo double-encoding (rather than just not double-encoding in the first place). -- You are receiving this mail because: You are watching all bug changes. --===============1666165403524510967==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 06:34:14 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 04:34:13 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7919413823457321363==" --===============7919413823457321363== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #16 from David Cook --- I think removing the "url" filter seems like the more reasonable solution to me. In this case, the ITEM_RESULT.uri is coming from a stored record in the staff interface, so we don't really need to filter unauthenticated untrusted user input. That said, an authenticated user with cataloguing privileges could put in malicious Javascript into a 856$u subfield. (Then again, an authenticated user with admin privileges could put malicious Javascript into OpacUserJS, so an authenticated staff interface user is always a bit of a risk.) -- You are receiving this mail because: You are watching all bug changes. --===============7919413823457321363==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:09:35 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 05:09:34 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6824865684391277683==" --===============6824865684391277683== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #17 from David Cook --- Consider the following excerpt from the URI standard https://tools.ietf.org/html/std66#section-3.4: "However, as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent-encoding those characters." It seems like the standard itself (from 2005) mentions that URI encoding query components indiscriminately can be problematic. -- You are receiving this mail because: You are watching all bug changes. --===============6824865684391277683==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:15:38 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 05:15:37 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6644014151613198004==" --===============6644014151613198004== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #18 from David Cook --- Template Toolkit uses RFC 2396 (from 1998) for the url filter. Looking at RFC 2396 https://tools.ietf.org/html/rfc2396#section-2.4.2: "Data must be escaped if it does not have a representation using an unreserved character" However, it also says the following: "A URI is always in an "escaped" form, since escaping or unescaping a complet= ed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts; each component may have its own set of characters that are reserved, so only the mechanism responsible for generating or interpreting that component can determine whether or not escaping a character will change its semantics. Likewise, a URI must be separated into its components before the escaped characters within those components can be safely decoded." Note also the following: "Because the percent "%" character always has the reserved purpose of being t= he escape indicator, it must be escaped as "%25" in order to be used as data within a URI. Implementers should be careful not to escape or unescape the same string more than once, since unescaping an already unescaped string might lead to misinterpreting a percent data character as another escaped character, or vice versa in the case of escaping an already escaped string." Template Toolkit have changed the behaviour of the "uri" and "url" filters ov= er time (http://www.template-toolkit.org/docs/manual/Filters.html#section_url). I think they also haven't interpreted RFC3986 correctly in regards to the double quote character... --=20 You are receiving this mail because: You are watching all bug changes. --===============6644014151613198004==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:26:46 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 05:26:45 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2259277562222838428==" --===============2259277562222838428== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #19 from David Cook --- Actually, after re-reading those specifications, I think maybe we *should* ke= ep the "url" filter in the Template Toolkit template. If we consider the staff interface to be the "URI producer", then technically the problem is with storing URLs that contain encoded information. That said, maybe we would be better off storing encoded URLs in MARC 856$u, a= nd then either passing those through to the interface with $raw, or decoding on the backend and then re-encoding using Template Toolkit.=20 Technically, https://www.loc.gov/marc/bibliographic/bd856.html doesn't say anything about percent encoding, although all the examples contain percent encoded examples.=20 That goes back to the URI standard that says a URI is always "encoded". Maybe we should be decoding it prior to putting it through the filter. Let me have a think about that... --=20 You are receiving this mail because: You are watching all bug changes. --===============2259277562222838428==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 07:45:34 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 05:45:33 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6339921131667760189==" --===============6339921131667760189== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #20 from David Cook --- Consider the following code: #!/usr/bin/perl use strict; use warnings; use URI::Escape; use Template; my $one = uri_unescape('https://www.google.com/url?q=https://buttercup.pw"'); my $two = uri_unescape('https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw%22'); my $template = Template->new(); my $output; $template->process( \*DATA, { one => $one, two => $two }, \$output ); warn $output; __DATA__ [% one | url %] [% two | url %] Consider the output: https://www.google.com/url?q=https://buttercup.pw%22 https://www.google.com/url?q=https://buttercup.pw%22 Actually... while that *looks* good... that's not necessarily correct, because the "correct" URL is actually https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw%22 That said... the end-target will uri_unescape the value of the "q" key anyway, so it shouldn't matter. Plus the URI standard says you may choose not to percent encode the query component due to usability concerns... But our test cases might also be overly simplistic. I wonder if I have any real-life complex URLs for digital resources laying around... -- You are receiving this mail because: You are watching all bug changes. --===============6339921131667760189==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:07:46 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 06:07:45 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2472252173606734432==" --===============2472252173606734432== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #21 from David Cook --- Actually, I'm going back to thinking that the "url" filter should be removed = in this case. The 2005 URI standard says at https://tools.ietf.org/html/std66#section-2.4 that "the only time when octets within a URI are percent-encoded is during the process of producing the URI from its component parts. This is when an implementation determines which of the reserved characters are to be used as subcomponent delimiters and which can be safely used as data. Once produced,= a URI is always in its percent-encoded form." This is the only safe time to do the uri encoding. And if you look at the "uri" filter for Template Toolkit at http://www.template-toolkit.org/docs/manual/Filters.html#section_uri, that's how they use the do percent-encoding for URIs. That is, building a URI from i= ts component parts and doing the escaping at those points. The "url" filter for encoding whole URLs in Template Toolkit is highly problematic. I can certainly get the appeal. After all, say someone submits a URL to a web form and you want to show them their URL on the response page. Technically speaking, a person should decompose the URL, and then rebuild it from its component parts. The "url" filter is a convenient mechanism, but it seems technically incorrect. So we maybe shouldn't use the "url" filter... but we need to do *something*. = The 2005 URI standard is dogmatic. Practically speaking, Koha is given whole URLs by library staff members. It's not building URIs itself from component parts.=20 In theory, the library staff members should be passing in URLs that are alrea= dy encoded, but in practice that is unlikely to happen, unless they're copying/pasting from somewhere else, and even then it may be hit or miss. In theory, we shouldn't be encoding the URL at the template level since it should already be encoded when it was created... but as above... we can't tru= st that.=20 Perhaps we should implement our own filter that first parses the URI and then decodes its component parts before re-encoding its component parts.=20 Of course, https://tools.ietf.org/html/std66#section-2.4 also says "Implementations must not percent-encode or decode the same string more than once, as decoding an already decoded string might lead to misinterpreting a percent data octet as the beginning of a percent-encoding, or vice versa in t= he case of percent-encoding an already percent-encoded string." So... technically speaking this is kind of unsolvable in terms of strict adherence to the standard?=20 The problem being of course the human element. If we were mechanically buildi= ng URLs, encoding them, sending them, decoding them, and using them... it would all be fine.=20 The problem is human input.=20 With the OPAC, we might accept a URL but it would just be as text data. But with the staff interface, we're actually using it in HTML...=20 The most practical option in my mind is to just not use the "url" filter on this field, because I think that we sort of have to assume that the librarian has put in a properly encoded URL in the first place. --=20 You are receiving this mail because: You are watching all bug changes. --===============2472252173606734432==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:33:49 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 06:33:47 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2335553210856961561==" --===============2335553210856961561== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #22 from David Cook --- But... doing nothing is also risky. I suppose we could validate that it's actually a URL, but that's easy to bypass. But we can't re-encode the URI components either because that could compromise the semantics of the URL. I suppose one could argue that it's better to compromise the semantics of a good URL than to permit an unchallenged bad URL. We could also check URLs for characters outside the "unreserved character" list, and percent-encode if we find any (by percent encoding components rather than using the "url" filter). You could get false positives but that's better than a false negative. That should prevent XSS and allow through properly encoded URLs (e.g. "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com"). -- You are receiving this mail because: You are watching all bug changes. --===============2335553210856961561==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:38:04 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 06:38:03 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0522899947298523268==" --===============0522899947298523268== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #23 from David Cook --- (In reply to David Cook from comment #22) > We could also check URLs for characters outside the "unreserved character" > list, and percent-encode if we find any (by percent encoding components > rather than using the "url" filter). You could get false positives but > that's better than a false negative. > > That should prevent XSS and allow through properly encoded URLs (e.g. > "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com"). Except that I'm wrong. It wouldn't allow through properly encoded URLs because % is not an "unreserved character". But as I said in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c8 that's why URI "find all funny characters and encode the bytes" when the characters are not reserved, not unreserved, and not a % sign: https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L80 -- You are receiving this mail because: You are watching all bug changes. --===============0522899947298523268==-- From bugzilla-daemon@bugs.koha-community.org Thu Jul 30 08:44:19 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 30 Jul 2020 06:44:18 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8078626143076916147==" --===============8078626143076916147== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #24 from David Cook --- Consider the following code: #!/usr/bin/perl use strict; use warnings; use URI; use Template; my $one =3D URI->new('https://www.google.com/url?q=3Dhttps://buttercup.pw">new('https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.= pw'); my $template =3D Template->new(); my $output; $template->process( \*DATA, { one =3D> $one, two =3D> $two }, \$output ); warn $output; __DATA__ [% one %] [% two %] Consider the following output: https://www.google.com/url?q=3Dhttps://buttercup.pw%22%3E%3C/a%3E%3Cinjection= %3E%3C/injection%3E%3Ca%20href=3D%22 https://www.google.com/url?q=3Dhttps%3A%2F%2Fbuttercup.pw In this case it's let the correctly percent encoded URL through, but it's also encoded the malicious URL. --=20 You are receiving this mail because: You are watching all bug changes. --===============8078626143076916147==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 11 18:03:39 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 11 Aug 2020 16:03:38 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3506733206974475704==" --===============3506733206974475704== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Margaret changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |margaret@bywatersolutions.c | |om -- You are receiving this mail because: You are watching all bug changes. --===============3506733206974475704==-- From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:09 2021 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 13 Oct 2021 10:07:08 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9110055081064084515==" --===============9110055081064084515== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #89352|0 |1 is obsolete| | --- Comment #25 from Jonathan Druart --- Created attachment 126174 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=126174&action=edit Bug 22223: Try to not double encoded URIs in items.uri This is just a POC and is not ready for inclusion (Filter.pm and naming need to be discussed). Test plan: Create 2 items, with uri: https://www.google.com/url?q=https://buttercup.pw https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw Go to the OPAC detail page of the bib record, see that the links are displayed how you entered them. Click on them and confirm that the uri/page is correct -- You are receiving this mail because: You are watching all bug changes. --===============9110055081064084515==-- From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:26 2021 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 13 Oct 2021 10:07:26 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6966793837779271629==" --===============6966793837779271629== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #26 from Jonathan Druart --- Patch rebased. -- You are receiving this mail because: You are watching all bug changes. --===============6966793837779271629==-- From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 12:07:51 2021 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 13 Oct 2021 10:07:40 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6216867205445645172==" --===============6216867205445645172== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |severine.queune@bulac.fr --- Comment #27 from Jonathan Druart --- *** Bug 29208 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. --===============6216867205445645172==-- From bugzilla-daemon@bugs.koha-community.org Wed Oct 13 13:02:05 2021 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 13 Oct 2021 11:02:05 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4494043575416565916==" --===============4494043575416565916== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Marcel de Rooy changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes. --===============4494043575416565916==-- From bugzilla-daemon@bugs.koha-community.org Thu Oct 14 11:12:28 2021 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 14 Oct 2021 09:12:27 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1710774555710111003==" --===============1710774555710111003== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #28 from Séverine Queune --- Hi Jonathan, Sorry for the duplicate, I searched in Bugzilla before I open my bug but it seems I didn't use good keywords... I tried to apply your POC on Biblibre's sandbox, but I get a "503 Service Unavailable". The patch correctly applies on ByWater's sandbox and it works pretty well ! I did my part, so I let you devs discuss about the points you mentioned :) Thanks ! -- You are receiving this mail because: You are watching all bug changes. --===============1710774555710111003==-- From bugzilla-daemon@bugs.koha-community.org Tue Mar 22 15:47:25 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 22 Mar 2022 14:47:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3532408131922102032==" --===============3532408131922102032== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |Signed Off -- You are receiving this mail because: You are watching all bug changes. --===============3532408131922102032==-- From bugzilla-daemon@bugs.koha-community.org Tue Mar 22 15:47:35 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 22 Mar 2022 14:47:29 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7939843302202859376==" --===============7939843302202859376== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #126174|0 |1 is obsolete| | --- Comment #29 from Jonathan Druart --- Created attachment 132027 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=132027&action=edit Bug 22223: Try to not double encoded URIs in items.uri This is just a POC and is not ready for inclusion (Filter.pm and naming need to be discussed). Test plan: Create 2 items, with uri: https://www.google.com/url?q=https://buttercup.pw https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw Go to the OPAC detail page of the bib record, see that the links are displayed how you entered them. Click on them and confirm that the uri/page is correct Signed-off-by: Séverine Queune -- You are receiving this mail because: You are watching all bug changes. --===============7939843302202859376==-- From bugzilla-daemon@bugs.koha-community.org Wed Apr 20 15:20:44 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 20 Apr 2022 13:20:43 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7129524958604827747==" --===============7129524958604827747== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #30 from Tomás Cohen Arazi --- Do you need this? use Template::Plugin::Filter; -- You are receiving this mail because: You are watching all bug changes. --===============7129524958604827747==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 15:55:29 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 13:55:28 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0676759296214680684==" --===============0676759296214680684== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #31 from Jonathan Druart --- Nope. It's a common mistake in Koha/Template/Plugin/, certainly coming from a copy/paste. -- You are receiving this mail because: You are watching all bug changes. --===============0676759296214680684==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:01:53 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 14:01:51 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4395166744246970326==" --===============4395166744246970326== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #132027|0 |1 is obsolete| | --- Comment #32 from Jonathan Druart --- Created attachment 133567 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133567&action=edit Bug 22223: Try to not double encoded URIs in items.uri This is just a POC and is not ready for inclusion (Filter.pm and naming need to be discussed). Test plan: Create 2 items, with uri: https://www.google.com/url?q=https://buttercup.pw https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw Go to the OPAC detail page of the bib record, see that the links are displayed how you entered them. Click on them and confirm that the uri/page is correct Signed-off-by: Séverine Queune JD amended patch: * Remove use Template::Plugin::Filter; * Fix license statement -- You are receiving this mail because: You are watching all bug changes. --===============4395166744246970326==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:49:56 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 14:49:55 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3304677253143630873==" --===============3304677253143630873== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. --===============3304677253143630873==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 16:50:06 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 14:49:59 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6393146029346166669==" --===============6393146029346166669== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #133567|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. --===============6393146029346166669==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:00:19 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 15:00:18 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4022508776141521577==" --===============4022508776141521577== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes. --===============4022508776141521577==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:00:59 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 15:00:34 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5603914233437507188==" --===============5603914233437507188== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #133567|1 |0 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. --===============5603914233437507188==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:01:48 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 15:01:47 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1362045256213270249==" --===============1362045256213270249== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #33 from Tomás Cohen Arazi --- Can you provide some regression tests for this? -- You are receiving this mail because: You are watching all bug changes. --===============1362045256213270249==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 17:45:37 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 15:45:36 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5499151389753166352==" --===============5499151389753166352== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #34 from Jonathan Druart --- Created attachment 133578 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133578&action=edit Bug 22223: Add tests -- You are receiving this mail because: You are watching all bug changes. --===============5499151389753166352==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:11:59 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:11:58 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0269280789667130985==" --===============0269280789667130985== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |tomascohen@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes. --===============0269280789667130985==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:23 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:16:17 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6163941671945138473==" --===============6163941671945138473== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes. --===============6163941671945138473==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:34 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:16:20 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6352830393067045515==" --===============6352830393067045515== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #133578|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. --===============6352830393067045515==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:16:44 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:16:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0150971730136644396==" --===============0150971730136644396== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #133567|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. --===============0150971730136644396==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:17:00 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:16:59 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1546962650024024863==" --===============1546962650024024863== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #35 from Tomás Cohen Arazi --- Created attachment 133589 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133589&action=edit Bug 22223: Try to not double encoded URIs in items.uri This is just a POC and is not ready for inclusion (Filter.pm and naming need to be discussed). Test plan: Create 2 items, with uri: https://www.google.com/url?q=https://buttercup.pw https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw Go to the OPAC detail page of the bib record, see that the links are displayed how you entered them. Click on them and confirm that the uri/page is correct Signed-off-by: Séverine Queune JD amended patch: * Remove use Template::Plugin::Filter; * Fix license statement Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. --===============1546962650024024863==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:17:10 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:17:05 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1525908121230677604==" --===============1525908121230677604== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #36 from Tomás Cohen Arazi --- Created attachment 133590 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=133590&action=edit Bug 22223: Add tests Signed-off-by: Tomas Cohen Arazi Edit: fixed tests count -- You are receiving this mail because: You are watching all bug changes. --===============1525908121230677604==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 21 18:20:35 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 21 Apr 2022 16:20:34 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5512579496564372783==" --===============5512579496564372783== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #37 from Tomás Cohen Arazi --- (In reply to Jonathan Druart from comment #34) > Created attachment 133578 [details] [review] > Bug 22223: Add tests Great job, thanks -- You are receiving this mail because: You are watching all bug changes. --===============5512579496564372783==-- From bugzilla-daemon@bugs.koha-community.org Mon Apr 25 21:53:53 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 25 Apr 2022 19:53:49 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8522573334140846519==" --===============8522573334140846519== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Fridolin Somers changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #38 from Fridolin Somers --- > This is just a POC No push to master then ? -- You are receiving this mail because: You are watching all bug changes. --===============8522573334140846519==-- From bugzilla-daemon@bugs.koha-community.org Wed Apr 27 14:02:47 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 27 Apr 2022 12:02:45 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3808828932835417813==" --===============3808828932835417813== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #39 from Jonathan Druart --- (In reply to Fridolin Somers from comment #38) > > This is just a POC > No push to master then ? It *was* a POC, if everybody is happy with the patch I guess you can push it. -- You are receiving this mail because: You are watching all bug changes. --===============3808828932835417813==-- From bugzilla-daemon@bugs.koha-community.org Wed Apr 27 21:44:05 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 27 Apr 2022 19:44:04 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8016970843017959334==" --===============8016970843017959334== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #40 from Fridolin Somers --- That code looks very strange to me. Naming a TT filter 'Filter'. I would prefer to see syntax : [% var | $NoDoubleEncode %] Like TT plugin Price. Class is using : Base qw( Template::Plugin::Filter ) But does not implement a 'filter' method. -- You are receiving this mail because: You are watching all bug changes. --===============8016970843017959334==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 28 01:18:00 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 27 Apr 2022 23:17:59 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3763916995128492284==" --===============3763916995128492284== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #41 from David Cook --- (In reply to Fridolin Somers from comment #40) > That code looks very strange to me. > Naming a TT filter 'Filter'. > > I would prefer to see syntax : [% var | $NoDoubleEncode %] > Like TT plugin Price. > > Class is using : > Base qw( Template::Plugin::Filter ) > But does not implement a 'filter' method. I think a good alternative would be what I suggest at https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c7 as well. -- You are receiving this mail because: You are watching all bug changes. --===============3763916995128492284==-- From bugzilla-daemon@bugs.koha-community.org Thu Apr 28 09:08:21 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 28 Apr 2022 07:08:20 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6569895051749568060==" --===============6569895051749568060== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jonathan.druart+koha@gmail. |oleonard@myacpl.org |com | Status|Passed QA |In Discussion --- Comment #42 from Jonathan Druart --- (In reply to Fridolin Somers from comment #40) > That code looks very strange to me. > Naming a TT filter 'Filter'. > > I would prefer to see syntax : [% var | $NoDoubleEncode %] > Like TT plugin Price. > > Class is using : > Base qw( Template::Plugin::Filter ) > But does not implement a 'filter' method. The idea was to have a module that would deal with other encode/decode, or replacements functions. I still think it is a good idea. I don't have more time to dedicate to this patch unfortunately. -- You are receiving this mail because: You are watching all bug changes. --===============6569895051749568060==-- From bugzilla-daemon@bugs.koha-community.org Tue Dec 6 06:21:27 2022 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 06 Dec 2022 05:21:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6352652056349408967==" --===============6352652056349408967== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com --- Comment #43 from David Cook --- *** Bug 23535 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. --===============6352652056349408967==-- From bugzilla-daemon@bugs.koha-community.org Mon Aug 19 18:16:29 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 19 Aug 2024 16:16:28 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7852767479556554062==" --===============7852767479556554062== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Laura Escamilla changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Laura.escamilla@bywatersolu | |tions.com --- Comment #44 from Laura Escamilla -= -- +1 still an ongoing issue! --=20 You are receiving this mail because: You are watching all bug changes. --===============7852767479556554062==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 01:51:27 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 19 Aug 2024 23:51:26 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3946628881495252968==" --===============3946628881495252968== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #45 from David Cook --- It looks like it's no longer an issue in the staff interface since we're now constructing this HTML using Javascript in koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_= detail.inc and we're using our homemade escape function. I'd prefer we created the elements using objects rather than strings and using escape_str, but it escapes the XSS and doesn't double-encode a simple URL, so it seems good enough. The OPAC is still a problem. I'm going to try something... --=20 You are receiving this mail because: You are watching all bug changes. --===============3946628881495252968==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:09 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 00:28:08 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7561985016235396330==" --===============7561985016235396330== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. --===============7561985016235396330==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:19 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 00:28:11 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3120442430308298079==" --===============3120442430308298079== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #133589|0 |1 is obsolete| | Attachment #133590|0 |1 is obsolete| | --- Comment #46 from David Cook --- Created attachment 170485 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170485&action=edit Bug 22223: Add filter to make item URLs safe in template output This change adds a "safe_url" filter which takes a text input and returns a Perl URL object which stringifies to a safe URL. This change is only needed in the OPAC as the staff interface handles the item URL display using Javascript not Template Toolkit. 0. Apply patch and koha-plack --restart kohadev 1. Create an item for a record using the following URL https://koha-community.org?url=https%3A%2F%2Fkoha-community.org 2. Go to the OPAC for that record and verify that the URL is not double-escaped 3. Create a malicious payload (talk to QA/security team for this if necessary) 4. Note that the malicious payload is escaped 5. prove t/Koha/Plugins/SafeURL.t 6. Celebrate! -- You are receiving this mail because: You are watching all bug changes. --===============3120442430308298079==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:28:45 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 00:28:45 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2825929440343172380==" --===============2825929440343172380== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #47 from David Cook --- I've obsoleted Jonathan's patches as they won't apply anymore, but I took inspiration from his patches. -- You are receiving this mail because: You are watching all bug changes. --===============2825929440343172380==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:29:15 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 00:29:14 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2072772942826144396==" --===============2072772942826144396== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #48 from David Cook --- QA note: FAIL koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt FAIL filters missing_filter at line 1366 ( = =20 [% uri | html %]) missing_filter at line 1373 ( = ) So... either we need to add a $raw filter after "safe_url" or we need to upda= te the QA tools to deal with this new "safe_url" filter? --=20 You are receiving this mail because: You are watching all bug changes. --===============2072772942826144396==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 02:53:04 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 00:53:02 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5994628283923485254==" --===============5994628283923485254== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37681 -- You are receiving this mail because: You are watching all bug changes. --===============5994628283923485254==-- From bugzilla-daemon@bugs.koha-community.org Tue Aug 20 03:10:00 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 20 Aug 2024 01:09:59 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4170700259238392457==" --===============4170700259238392457== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|oleonard@myacpl.org |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes. --===============4170700259238392457==-- From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 20:54:50 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 21 Aug 2024 18:54:49 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1716529637865096850==" --===============1716529637865096850== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Gretchen Maxeiner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maxeinergl@gcc.edu --- Comment #49 from Gretchen Maxeiner --- Hello, we are a library experiencing this issue and I was directed to this ticket. I'm out of my depth on this discussion but I see an assumption that this only affects the OPAC, not the staff interface. This is not true for us = -- so I wanted to add that we see it both places.=20 Our scenario is this: Links in the MARC 856 sometimes contain a space (these links are generated out of a SharePoint where spaces are permitted in naming). These records are then used in Course Reserves. If you try to access the URL from the reserve title list within a course the "Record URL" link fails for these. The "Record URL" link is available for course reserves in both the OPAC and Staff interface, and fails both places. Thank you all for looking into and working on this issue! --=20 You are receiving this mail because: You are watching all bug changes. --===============1716529637865096850==-- From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:17 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 21 Aug 2024 19:25:16 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7266237544693535922==" --===============7266237544693535922== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #50 from Lucas Gass --- (In reply to Gretchen Maxeiner from comment #49) > Hello, we are a library experiencing this issue and I was directed to this > ticket. I'm out of my depth on this discussion but I see an assumption that > this only affects the OPAC, not the staff interface. This is not true for us > -- so I wanted to add that we see it both places. > > Our scenario is this: Links in the MARC 856 sometimes contain a space (these > links are generated out of a SharePoint where spaces are permitted in > naming). These records are then used in Course Reserves. If you try to > access the URL from the reserve title list within a course the "Record URL" > link fails for these. The "Record URL" link is available for course reserves > in both the OPAC and Staff interface, and fails both places. > > Thank you all for looking into and working on this issue! Thanks for your input, Gretchen. David's patch will make it pretty easy to apply this safe_url filter to other places in Koha, like course reserves. I'm going to sign-off here because this works good. As for the QA script, I think it's better to update the script. -- You are receiving this mail because: You are watching all bug changes. --===============7266237544693535922==-- From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:45 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 21 Aug 2024 19:25:44 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6563141716414825691==" --===============6563141716414825691== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Lucas Gass changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. --===============6563141716414825691==-- From bugzilla-daemon@bugs.koha-community.org Wed Aug 21 21:25:55 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 21 Aug 2024 19:25:47 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1842931226366267442==" --===============1842931226366267442== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Lucas Gass changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #170485|0 |1 is obsolete| | --- Comment #51 from Lucas Gass --- Created attachment 170577 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170577&action=edit Bug 22223: Add filter to make item URLs safe in template output This change adds a "safe_url" filter which takes a text input and returns a Perl URL object which stringifies to a safe URL. This change is only needed in the OPAC as the staff interface handles the item URL display using Javascript not Template Toolkit. 0. Apply patch and koha-plack --restart kohadev 1. Create an item for a record using the following URL https://koha-community.org?url=https%3A%2F%2Fkoha-community.org 2. Go to the OPAC for that record and verify that the URL is not double-escaped 3. Create a malicious payload (talk to QA/security team for this if necessary) 4. Note that the malicious payload is escaped 5. prove t/Koha/Plugins/SafeURL.t 6. Celebrate! Signed-off-by: Lucas Gass -- You are receiving this mail because: You are watching all bug changes. --===============1842931226366267442==-- From bugzilla-daemon@bugs.koha-community.org Thu Oct 31 19:18:26 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 31 Oct 2024 18:18:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7462164603896152325==" --===============7462164603896152325== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Tomás Cohen Arazi (tcohen) changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|tomascohen@gmail.com |jonathan.druart@gmail.com --- Comment #52 from Tomás Cohen Arazi (tcohen) --- I like what I read, it works. I would like Jonathan's feedback. -- You are receiving this mail because: You are watching all bug changes. --===============7462164603896152325==-- From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 14:26:40 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 04 Nov 2024 13:26:38 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6491261395629511600==" --===============6491261395629511600== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 Paul Derscheid changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul.derscheid@lmscloud.de --- Comment #53 from Paul Derscheid --- Just ran the koha-qa on this. Is this a false positive? FAIL koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt FAIL filters missing_filter at line 1372 ( = =20 [% uri | html %]) missing_filter at line 1379 ( = ) --=20 You are receiving this mail because: You are watching all bug changes. --===============6491261395629511600==-- From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 15:32:04 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 04 Nov 2024 14:32:03 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6160832639172814892==" --===============6160832639172814892== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #54 from Tomás Cohen Arazi (tcohen) --- (In reply to Paul Derscheid from comment #53) > Just ran the koha-qa on this. Is this a false positive? It is just we need to teach the QA tools about `safe_url`. False positive. -- You are receiving this mail because: You are watching all bug changes. --===============6160832639172814892==-- From bugzilla-daemon@bugs.koha-community.org Mon Nov 4 23:41:46 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 04 Nov 2024 22:41:44 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3929389515873074135==" --===============3929389515873074135== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D22223 --- Comment #55 from David Cook --- (In reply to Tom=C3=A1s Cohen Arazi (tcohen) from comment #54) > (In reply to Paul Derscheid from comment #53) > > Just ran the koha-qa on this. Is this a false positive? >=20 > It is just we need to teach the QA tools about `safe_url`. False positive. I've only recently been learning about this. The built-in filter "xml" does t= he same thing, and I provided a patch for that on bug 21731. Would it be OK to just do the same here? --=20 You are receiving this mail because: You are watching all bug changes. --===============3929389515873074135==-- From bugzilla-daemon@bugs.koha-community.org Tue Nov 5 13:58:21 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Tue, 05 Nov 2024 12:58:20 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5581318853315788823==" --===============5581318853315788823== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #56 from Tomás Cohen Arazi (tcohen) --- (In reply to David Cook from comment #55) > (In reply to Tomás Cohen Arazi (tcohen) from comment #54) > > (In reply to Paul Derscheid from comment #53) > > > Just ran the koha-qa on this. Is this a false positive? > > > > It is just we need to teach the QA tools about `safe_url`. False positive. > > I've only recently been learning about this. The built-in filter "xml" does > the same thing, and I provided a patch for that on bug 21731. Would it be OK > to just do the same here? Yes. -- You are receiving this mail because: You are watching all bug changes. --===============5581318853315788823==-- From bugzilla-daemon@bugs.koha-community.org Wed Nov 6 18:00:28 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 06 Nov 2024 17:00:26 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1739739215192715551==" --===============1739739215192715551== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Phil Ringnalda changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=38214 -- You are receiving this mail because: You are watching all bug changes. --===============1739739215192715551==-- From bugzilla-daemon@bugs.koha-community.org Wed Nov 6 18:01:08 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 06 Nov 2024 17:00:53 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7211796459616060201==" --===============7211796459616060201== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Phil Ringnalda changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |phil@chetcolibrary.org -- You are receiving this mail because: You are watching all bug changes. --===============7211796459616060201==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 02:38:05 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 01:38:03 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6089766937463047100==" --===============6089766937463047100== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #57 from David Cook --- Created attachment 174101 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174101&action=edit Bug 22223: t::lib::QA::TemplateFilters missing built-in TT filter "safe_url" causes false warnings -- You are receiving this mail because: You are watching all bug changes. --===============6089766937463047100==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:08 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 08:49:07 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8865701369603246362==" --===============8865701369603246362== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. --===============8865701369603246362==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:19 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 08:49:11 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1895260613609117431==" --===============1895260613609117431== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #170577|0 |1 is obsolete| | Attachment #174101|0 |1 is obsolete| | --- Comment #58 from Jonathan Druart --- Created attachment 174104 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174104&action=edit Bug 22223: Add filter to make item URLs safe in template output This change adds a "safe_url" filter which takes a text input and returns a Perl URL object which stringifies to a safe URL. This change is only needed in the OPAC as the staff interface handles the item URL display using Javascript not Template Toolkit. 0. Apply patch and koha-plack --restart kohadev 1. Create an item for a record using the following URL https://koha-community.org?url=https%3A%2F%2Fkoha-community.org 2. Go to the OPAC for that record and verify that the URL is not double-escaped 3. Create a malicious payload (talk to QA/security team for this if necessary) 4. Note that the malicious payload is escaped 5. prove t/Koha/Plugins/SafeURL.t 6. Celebrate! Signed-off-by: Lucas Gass Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. --===============1895260613609117431==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 09:49:29 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 08:49:14 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7363762352409429556==" --===============7363762352409429556== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #59 from Jonathan Druart --- Created attachment 174105 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174105&action=edit Bug 22223: t::lib::QA::TemplateFilters missing built-in TT filter "safe_url" causes false warnings Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. --===============7363762352409429556==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 16:32:38 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 15:32:36 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0386568832534891089==" --===============0386568832534891089== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Katrin Fischer changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes. --===============0386568832534891089==-- From bugzilla-daemon@bugs.koha-community.org Thu Nov 7 16:32:48 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 07 Nov 2024 15:32:39 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0978219529676077039==" --===============0978219529676077039== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #60 from Katrin Fischer --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes. --===============0978219529676077039==-- From bugzilla-daemon@bugs.koha-community.org Fri Nov 22 04:46:26 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Fri, 22 Nov 2024 03:46:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8184973291956925454==" --===============8184973291956925454== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 David Cook changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=38467 -- You are receiving this mail because: You are watching all bug changes. --===============8184973291956925454==-- From bugzilla-daemon@bugs.koha-community.org Thu Dec 5 22:39:23 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 05 Dec 2024 21:39:22 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8409712828960983386==" --===============8409712828960983386== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Lucas Gass (lukeg) changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable Version(s)|24.11.00 |24.11.00,24.05.06 released in| | --- Comment #61 from Lucas Gass (lukeg) --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes. --===============8409712828960983386==-- From bugzilla-daemon@bugs.koha-community.org Thu Dec 5 22:39:33 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 05 Dec 2024 21:39:28 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2404254089447662670==" --===============2404254089447662670== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Lucas Gass (lukeg) changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes. --===============2404254089447662670==-- From bugzilla-daemon@bugs.koha-community.org Wed Dec 18 10:55:07 2024 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Wed, 18 Dec 2024 09:55:04 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8208100546781774610==" --===============8208100546781774610== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Fridolin Somers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Pushed to oldoldstable Version(s)|24.11.00,24.05.06 |24.11.00,24.05.06,23.11.11 released in| | --- Comment #62 from Fridolin Somers --- Pushed to 23.11.x for 23.11.11 -- You are receiving this mail because: You are watching all bug changes. --===============8208100546781774610==-- From bugzilla-daemon@bugs.koha-community.org Thu Jan 23 13:08:49 2025 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Thu, 23 Jan 2025 12:08:48 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0439060833931217297==" --===============0439060833931217297== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Chris Rowlands changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris.rowlands6@nhs.net -- You are receiving this mail because: You are watching all bug changes. --===============0439060833931217297==-- From bugzilla-daemon@bugs.koha-community.org Mon Feb 3 17:33:36 2025 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL Date: Mon, 03 Feb 2025 16:33:35 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6948038621932190051==" --===============6948038621932190051== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 Jesse Maseto changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to oldoldstable |RESOLVED CC| |jesse@bywatersolutions.com --- Comment #63 from Jesse Maseto --- Not pushed to LTS. Marked Resolved. If you feel this should be in LTS please reply with your reason. -- You are receiving this mail because: You are watching all bug changes. --===============6948038621932190051==--