View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007051 | mantisbt | bugtracker | public | 2006-05-08 07:40 | 2007-05-08 03:43 |
Reporter | polzin | Assigned To | thraxisp | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.0.3 | ||||
Fixed in Version | 1.0.4 | ||||
Summary | 0007051: Fix for 0006869 / 0007034 removes quoted "?" from arguments | ||||
Description | The fix for 0006869 / 0007034 (in cvs) removes quoted "?" from arguments with the lines
Is there some security reason for this? I have not found a code break in a release version, but it breaks my patch in 0005432. This produces urls like:
after string_sanitize_url this is transformed to
Note that the "%3f" for ? has been removed and the new url is invalid. If there is no security reason for it, I would suggest removing the "$t_param = str_replace( '?','', $t_param );" line. | ||||
Tags | No tags attached. | ||||
parent of | 0007257 | closed | thraxisp | Port: Fix for 0006869 / 0007034 removes quoted "?" from arguments |
has duplicate | 0007055 | closed | vboctor | invalid redirect url returned from string_sanitize_url |
has duplicate | 0007116 | closed | vboctor | Redirection after editing of bugnote fails |
has duplicate | 0007141 | closed | vboctor | redirection after login goes wrong |
has duplicate | 0007160 | closed | vboctor | Error while after changing note |
has duplicate | 0007202 | closed | ryandesign | invalid URL when forwarded |
has duplicate | 0007215 | closed | ryandesign | "retrurn" parameter for login_page.php is wrong |
has duplicate | 0007153 | closed | ryandesign | Error message on editing notices |
has duplicate | 0007134 | closed | ryandesign | Application Error #203 |
has duplicate | 0007240 | closed | ryandesign | return to issue (from login page) loses '?' |
has duplicate | 0007234 | closed | ryandesign | Mantis sends wrong links |
has duplicate | 0007237 | closed | ryandesign | editing notes causes error |
has duplicate | 0007161 | closed | vboctor | Issue link in mantis email gets corrupted once user log's in |
related to | 0007073 | closed | ryandesign | Display of Link in notification-mail fails after Login with User-ID and password |
related to | 0007276 | closed | grangeway | My suggestion for a corrected (and simplified) string_sanitize_url() |
child of | 0007052 | closed | vboctor | Mantis 1.0.4 Release |
Additionally there is problem in quoting "#" to "%23". This leads to the error message after deleting (see 0007078) and also after editing a bugnote (AFAIK, not reported yet). (The error happens after redirected from the "Operation successful." page. If you click on the link "[ Click here to proceed ]" there is no problem, but automatic redirection does not work properly). Therefore, I would set the severity of this higher than "minor". |
|
Fixed in CVS core/string_api.php -> 1.75.4.2.2.1.2.1.2.2 |
|