View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0007051mantisbtbugtrackerpublic2006-05-08 07:402007-05-08 03:43
Reporterpolzin Assigned Tothraxisp  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.3 
Fixed in Version1.0.4 
Summary0007051: Fix for 0006869 / 0007034 removes quoted "?" from arguments
Description

The fix for 0006869 / 0007034 (in cvs) removes quoted "?" from arguments with the lines



function string_sanitize_url( $p_url ) {

[...]

$t_url = strip_tags( urldecode( $p_url ) );

[...]

$t_param = str_replace( '?','', $t_param );

Is there some security reason for this? I have not found a code break in a release version, but it breaks my patch in 0005432. This produces urls like:



set_project.php?project_id=7&make_default=no&ref=bug_view_page.php%3Fbug_id%3D4230

after string_sanitize_url this is transformed to



set_project.php?project_id=7&make_default=no&ref=bug_view_page.phpbug_id%3D4230

Note that the "%3f" for ? has been removed and the new url is invalid.

If there is no security reason for it, I would suggest removing the "$t_param = str_replace( '?','', $t_param );" line.

TagsNo tags attached.

Relationships

parent of 0007257 closedthraxisp Port: Fix for 0006869 / 0007034 removes quoted "?" from arguments 
has duplicate 0007055 closedvboctor invalid redirect url returned from string_sanitize_url 
has duplicate 0007116 closedvboctor Redirection after editing of bugnote fails 
has duplicate 0007141 closedvboctor redirection after login goes wrong 
has duplicate 0007160 closedvboctor Error while after changing note 
has duplicate 0007202 closedryandesign invalid URL when forwarded 
has duplicate 0007215 closedryandesign "retrurn" parameter for login_page.php is wrong 
has duplicate 0007153 closedryandesign Error message on editing notices 
has duplicate 0007134 closedryandesign Application Error #203 
has duplicate 0007240 closedryandesign return to issue (from login page) loses '?' 
has duplicate 0007234 closedryandesign Mantis sends wrong links 
has duplicate 0007237 closedryandesign editing notes causes error 
has duplicate 0007161 closedvboctor Issue link in mantis email gets corrupted once user log's in 
related to 0007073 closedryandesign Display of Link in notification-mail fails after Login with User-ID and password 
related to 0007276 closedgrangeway My suggestion for a corrected (and simplified) string_sanitize_url() 
child of 0007052 closedvboctor Mantis 1.0.4 Release 

Activities

polzin

polzin

2006-05-23 07:17

reporter   ~0012891

Last edited: 2006-06-26 04:47

Additionally there is problem in quoting "#" to "%23". This leads to the error message after deleting (see 0007078) and also after editing a bugnote (AFAIK, not reported yet).

(The error happens after redirected from the "Operation successful." page. If you click on the link "[ Click here to proceed ]" there is no problem, but automatic redirection does not work properly).

Therefore, I would set the severity of this higher than "minor".
thraxisp

thraxisp

2006-07-04 23:07

reporter   ~0013065

Fixed in CVS

core/string_api.php -> 1.75.4.2.2.1.2.1.2.2