View Issue Details

IDProjectCategoryView StatusLast Update
0030204mantisbtfilterspublic2022-06-24 04:05
Reportertslanina Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.25.4 
Target Version2.25.5Fixed in Version2.25.5 
Summary0030204: Create Permalink - special characters handling
Description

If category name contains "&" character and this name is used in filter, mantis generates buggy link to the filter.
Example:
Category "f0 & f1", generated link :
website.com/search.php?project_id=99&category_id=f0%20&f1=&sticky=on&sort=last_updated&dir=DESC&hide_status=80&match_type=0

The f0[space][ampersand][space]f1 was parsed like f0[space], and name after ampersand(f1) is treated like next parameter, not like a part of the name (that's why there's "=" added after it).
The correct (percent encoding ) link should be :

website.com/search.php?project_id=99&category_id=f0%20%26%20f1&sticky=on&sort=last_updated&dir=DESC&hide_status=80&match_type=0

"f0%20&f1=" vs "f0%20%26%20f1"

(or & intead %26)

Steps To Reproduce

Create category with "&" character in the name.
Make a filter with this category name as a parameter.
use Create Permalink (from "the hamburger" menu) to generate a link to the filter

Additional Information

Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ?
(to replace & with & or %26)

TagsNo tags attached.

Activities

dregad

dregad

2022-05-13 05:45

developer   ~0066579

I can reproduce this.

Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ?

I believe filter_encode_field_and_value()'s behavior is correct - given my test category "a&b", it is passed on to permalink_page.php as search.php?...&category_id=a%26b.

The problem is with string_sanitize_url(), which for security reasons is decomposing the URL parameter to ensure it does not contain any malicious component; doing so, it urldecodes it so the %26 is changed back to ampersand.

At this point I'm not really sure what's the best way to fix this. I need to think about it, there is a security trade-off here.

dregad

dregad

2022-05-13 09:28

developer   ~0066580

@tslanina I think I found a solution. Please test the code in the following pull request:
https://github.com/mantisbt/mantisbt/pull/1812

dregad

dregad

2022-05-18 04:07

developer   ~0066593

@tslanina any feedback ?

tslanina

tslanina

2022-05-18 04:11

reporter   ~0066594

I'm out of office for a couple of days .. - will test it tomorrow and give a feedback.

dregad

dregad

2022-05-28 12:44

developer   ~0066655

Tomorrow has come and gone ;-)

So I assume you're OK with the proposed change, will merge shortly.

Related Changesets

MantisBT: master-2.25 c54a3794

2022-05-13 09:24

dregad


Details Diff
Use filter key instead of URL to build permalink

Refactor permalink_page.php to accept a temporary filter key and
generate the URL from that, instead of receiving a fully-formed URL.

This prevents issues when the filter criteria contain a `&` (e.g. a
category named "a & b"), causing the value to be interpreted as 2
distinct parameters due to string_sanitize_url() decoding the `%26`
before processing the query string.

Fixes 0030204
Affected Issues
0030204
mod - core/filter_api.php Diff File
mod - permalink_page.php Diff File