[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 30 08:33:47 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #22 from David Cook <dcook at prosentient.com.au> ---
But... doing nothing is also risky.
I suppose we could validate that it's actually a URL, but that's easy to
bypass.
But we can't re-encode the URI components either because that could compromise
the semantics of the URL.
I suppose one could argue that it's better to compromise the semantics of a
good URL than to permit an unchallenged bad URL.
We could also check URLs for characters outside the "unreserved character"
list, and percent-encode if we find any (by percent encoding components rather
than using the "url" filter). You could get false positives but that's better
than a false negative.
That should prevent XSS and allow through properly encoded URLs (e.g.
"https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com").
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list