[Bug 26606] New: Correctly URI-encode query string in URL loaded after deleting an authority record
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Bug ID: 26606 Summary: Correctly URI-encode query string in URL loaded after deleting an authority record Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: MARC Authority data support Assignee: koha-bugs@lists.koha-community.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org If you search for "this & that" and delete one of the results, after it is deleted the search in the reloaded page is for "this " rather than for "this & that". The template uses the url filter, which is for filtering an entire URI where :, &, #, etc. should be left alone, rather than the uri filter which is for filtering a URI component where they should be encoded. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #1 from Phil Ringnalda <phil@chetcolibrary.org> --- Created attachment 111184 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=111184&action=edit Bug 26606: Correctly URI-encode query string in URL loaded after deleting an authority record If you search for "this & that" and delete one of the results, after it is deleted the search in the reloaded page is for "this " rather than for "this & that". The template uses the url filter, which is for filtering an entire URI where :, &, #, etc. should be left alone, rather than the uri filter which is for filtering a URI component where they should be encoded. To test: 1) Go to Authorities > New authority > New from Z39.50/SRU 2) Search for the Author (corporate) this & that collective 3) Actions > Import, Save 4) From the detail for that authority, Edit > Edit as new (duplicate) 5) Edit the 110 field, add 2 at the end and Save 6) Search authorities for this & that 7) For one of the ones you created, Actions > Delete, confirm 8) The page that reloads should have a search for this & that, not just for this -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |phil@chetcolibrary.org |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 didier <didier.gautheron@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 didier <didier.gautheron@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #111184|0 |1 is obsolete| | --- Comment #2 from didier <didier.gautheron@biblibre.com> --- Created attachment 111208 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=111208&action=edit Bug 26606: Correctly URI-encode query string in URL loaded after deleting an authority record If you search for "this & that" and delete one of the results, after it is deleted the search in the reloaded page is for "this " rather than for "this & that". The template uses the url filter, which is for filtering an entire URI where :, &, #, etc. should be left alone, rather than the uri filter which is for filtering a URI component where they should be encoded. To test: 1) Go to Authorities > New authority > New from Z39.50/SRU 2) Search for the Author (corporate) this & that collective 3) Actions > Import, Save 4) From the detail for that authority, Edit > Edit as new (duplicate) 5) Edit the 110 field, add 2 at the end and Save 6) Search authorities for this & that 7) For one of the ones you created, Actions > Delete, confirm 8) The page that reloads should have a search for this & that, not just for this Signed-off-by: Didier Gautheron <didier.gautheron@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 didier <didier.gautheron@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |didier.gautheron@biblibre.c | |om -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Looks like all the other filters shown in the context should be changed to "uri" from "html" as well, but seems out of scope for this change. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #4 from Phil Ringnalda <phil@chetcolibrary.org> --- A bug (not this bug) about properly escaping authtypecode everywhere it is used really ought to exist, but as for e.g. orderby which has four possible values, HeadingDsc or HeadingAsc or null or an XSS attack in a spearphishing link, I'm unable to come up with any scenario where it would be valuable to URI-escape the quote that starts the XSS attack as %22 so it would be carefully passed through to the search that reloads after a deletion rather than HTML-escaping it as " and letting UA error handling deal with a bogus " URI param. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Phil Ringnalda from comment #4)
A bug (not this bug) about properly escaping authtypecode everywhere it is used really ought to exist
In this case, I think a lot of those "html" filters were added by an automated script to add XSS protection. Not sure why the value would've had a "url" filter instead of a "uri" filter. Probably just human error.
I'm unable to come up with any scenario where it would be valuable to URI-escape the quote that starts the XSS attack as %22 so it would be carefully passed through to the search that reloads after a deletion rather than HTML-escaping it as " and letting UA error handling deal with a bogus " URI param.
I do not understand what you're trying to say here. As for my earlier comment, I was saying that we should be using uri filters instead of html filters when URI building. But yes not in this bug. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #6 from Phil Ringnalda <phil@chetcolibrary.org> --- Happy to discuss things which are not about this bug in a place which is not in this bug. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Phil Ringnalda from comment #6)
Happy to discuss things which are not about this bug in a place which is not in this bug.
I think that I'm finished participating in this discussion, but feel free to open up more bug reports for URI encoding the rest of the query string arguments and authtypecode as you said. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #111208|0 |1 is obsolete| | --- Comment #8 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 111749 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=111749&action=edit Bug 26606: Correctly URI-encode query string in URL loaded after deleting an authority record If you search for "this & that" and delete one of the results, after it is deleted the search in the reloaded page is for "this " rather than for "this & that". The template uses the url filter, which is for filtering an entire URI where :, &, #, etc. should be left alone, rather than the uri filter which is for filtering a URI component where they should be encoded. To test: 1) Go to Authorities > New authority > New from Z39.50/SRU 2) Search for the Author (corporate) this & that collective 3) Actions > Import, Save 4) From the detail for that authority, Edit > Edit as new (duplicate) 5) Edit the 110 field, add 2 at the end and Save 6) Search authorities for this & that 7) For one of the ones you created, Actions > Delete, confirm 8) The page that reloads should have a search for this & that, not just for this Signed-off-by: Didier Gautheron <didier.gautheron@biblibre.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |20.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #9 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 20.11, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #10 from Lucas Gass <lucas@bywatersolutions.com> --- backported to 20.05.x for 20.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aleisha@catalyst.net.nz Version(s)|20.11.00 |20.11.00, 19.11.12 released in| | Status|Pushed to master |Pushed to stable --- Comment #11 from Aleisha Amohia <aleisha@catalyst.net.nz> --- backported to 19.11.x for 19.11.12 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |victor@tuxayo.net Status|Pushed to oldstable |Pushed to oldoldstable Version(s)|20.11.00, 19.11.12 |20.11.00, 19.11.12, released in| |19.05.17 --- Comment #12 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Backported to 19.05.x branch for 19.05.17 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldoldstable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org