Page MenuHomePhabricator

Un-escaped characters in login "returnto" parameter
Closed, ResolvedPublic

Description

While normally the "&" in a title is correctly escaped, in the case of signing in from such a page, the URL created contains a non-escaped "&". Example:

http://offene-naturfuehrer.de/w/index.php?title=Spezial:Anmelden&returnto=Schl%C3%BCssel_zu_den_Familien_der_B%C3%A4rlapppflanzen_und_Farne_in_Deutschland_%28H.W._Bennert_&_K._Horn%29

Note the non-escaped "_&_" at the end.


Version: 1.18.x
Severity: normal

Details

Reference
bz26603

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:14 PM
bzimport set Reference to bz26603.

Forgot the SVN: tested under r79596

  • Bug 26604 has been marked as a duplicate of this bug. ***

According to bug 26604 the same applies to the "+" character.

I tried reproducing this on trunk, but the ampersand and plus get escaped fine.

I confirm, cannot reproduce it on r82189 any more. Someone seems to have fixed this "accidentially"...

Error is still present, reopening.

The duplicate bug 26604 describes it better than the description here.

The error requires the sequence:

1 being signed in on a page

  1. sign out

3 on confirm page, go to the top right login box (not the login on the logout message itself, which does NOT contain a return-to)

the return-to in the login in the top right corner reveals already as a URL that the return-to parameter is now unescaped.

(In reply to comment #6)

Error is still present, reopening.

The duplicate bug 26604 describes it better than the description here.

The error requires the sequence:

1 being signed in on a page

  1. sign out

3 on confirm page, go to the top right login box (not the login on the logout
message itself, which does NOT contain a return-to)

the return-to in the login in the top right corner reveals already as a URL
that the return-to parameter is now unescaped.

Have you tried actually clicking the link? Firefox hides the escaping for me, which is confusing, but does apply it.

(In reply to comment #7)

Have you tried actually clicking the link? Firefox hides the escaping for me,
which is confusing, but does apply it.

Whoops, spoke too soon. You're right, it's not escaped.

Now it's double-escaped. In HTML it becomes something like %25E7%2589%25B9%25E6%25AE%258A

(In reply to comment #10)

Now it's double-escaped. In HTML it becomes something like
%25E7%2589%25B9%25E6%25AE%258A

Please describe exactly in which action sequence you see that. It seems escaped in multiple places, and behave differently depending on the order of actions.

(In reply to comment #11)

(In reply to comment #10)

Now it's double-escaped. In HTML it becomes something like
%25E7%2589%25B9%25E6%25AE%258A

Please describe exactly in which action sequence you see that. It seems escaped
in multiple places, and behave differently depending on the order of actions.

I pointed out the buggy logic in code review of r82232.

(In reply to comment #12)

I pointed out the buggy logic in code review of r82232.

Fixed in r86697. Apologies for the delay.