[Bug 38214] New: Audit use of TT url filter for uses that should be uri instead
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 Bug ID: 38214 Summary: Audit use of TT url filter for uses that should be uri instead Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Templates Assignee: oleonard@myacpl.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Shame the two things look so much alike in so many fonts, when you have old eyes. The url filter is for filtering a full URL, when you don't want to escape : or // since starting a URL with http%3A%2F%2F won't work well. The uri filter is for filtering a URL parameter, where you want '/search?query=why%3F' rather than '/search?query=why?' which breaks your URL by having a second '?'. Using url when you should use uri means you are leaving &, @, /, ;, :, =, +, ? and $ unescaped when you shouldn't. In many cases, the wrong use of url is on things like biblionumber, where that doesn't result in any interesting behavior, but in other cases... you can create an authorized value category named This&That=Stuff, and when you try to add a value to it, you will add a value to the category This, and pass the parameter That with the value Stuff to the script. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=22223 --- Comment #1 from Phil Ringnalda <phil@chetcolibrary.org> --- And there's bug 22223 for the way that the url filter isn't really a good idea even if you do have a full URL to filter. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- My favourite is how the behaviour of "uri" and "url" also changes depending on your version of Template::Toolkit. We're on 2.27 but I think there's a change in 2.28. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 --- Comment #3 from Phil Ringnalda <phil@chetcolibrary.org> --- Right. 2.26 and 2.27 you need to call Template::Filters->use_rfc3986() to have "(", ")", "*", "!", and "'" escaped, 2.26 you need to update to 2.27 to have '"' escaped by use_rfc3986(). 2.28 you no longer need to use_rfc3986(). So, when do we switch to 2.28? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Phil Ringnalda from comment #3)
Right. 2.26 and 2.27 you need to call Template::Filters->use_rfc3986() to have "(", ")", "*", "!", and "'" escaped, 2.26 you need to update to 2.27 to have '"' escaped by use_rfc3986(). 2.28 you no longer need to use_rfc3986().
So, when do we switch to 2.28?
Good question. I was just about to search up the packages in Debian and Ubuntu but both of their package search sites appear to be down. In any case, we'll be switching accidentally I'm sure 🤣 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #4)
(In reply to Phil Ringnalda from comment #3)
Right. 2.26 and 2.27 you need to call Template::Filters->use_rfc3986() to have "(", ")", "*", "!", and "'" escaped, 2.26 you need to update to 2.27 to have '"' escaped by use_rfc3986(). 2.28 you no longer need to use_rfc3986().
So, when do we switch to 2.28?
Good question. I was just about to search up the packages in Debian and Ubuntu but both of their package search sites appear to be down.
In any case, we'll be switching accidentally I'm sure 🤣
Ok sites back up. It looks like Debian and Ubuntu are both sticking with 2.27 for the foreseeable future. On Metacpan, it looks like 2.28 is actually from 2018, and that Template::Toolkit actually has a 3.x release dating back to late 2019 with a 3.102 having gone out in June 2024. At a glance, I don't know that 3.x is a meaningful bump as I can't see any documentation about it... -- I'd say we probably wouldn't upgrade to 2.28 until upstream updates. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |38467 Assignee|oleonard@myacpl.org |phil@chetcolibrary.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38214 Bug 38214 depends on bug 38467, which changed state. Bug 38467 Summary: Template::Toolkit filters can create risky Javascript when not using RFC3986 https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38467 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org