Item13583: Login form populated with incorrect path info.
Current State: Closed
Released In: 2.0.2
Target Release: patch
- 29 Jul 2015
(04:31:45 PM) gac410: jomo, by bet is we've got another utf8 error waiting here: https://github.com/foswiki/distro/blob/master/core/lib/Foswiki/Request/Cache.pm#L63
(04:32:46 PM) gac410: I'm guessing that it should be opened for utf8, unless the request is already encoded
(04:33:20 PM) jomo: hm never used the cache yet
(04:33:59 PM) gac410: It's used during certain redirects. Login required during an upload for eg.
(04:34:17 PM) gac410: This is not the page cache.
(04:34:28 PM) jomo: ah so...
(04:34:34 PM) jomo: wondering how to test
(04:35:36 PM) gac410: maybe get ready to attach a utf8 file to a utf8 topic, but delete your cgisess_ file. Then try upload. It should cache your request, authenticate, and then come back to the upload .... I think.
(04:36:01 PM) jomo: maybe not - Cdot decided NOT decode ENV e.g. the PATH_INFO is still bytes (but im not sure)..
(04:36:29 PM) gac410: ah yeah. probably safe then.
(04:36:59 PM) jomo: going to experiment
(04:40:35 PM) jomo: Do you have an incredibly good "nose"!!!
(04:40:37 PM) jomo: Attention
(04:40:37 PM) jomo: "Sandbox.Å½uÅ½u" topic does not exist
(04:40:51 PM) jomo: the topic is called as ŽuŽu
(04:42:12 PM) jomo: repo - create a unicode topicname, press attach, prepare the upload (fill all things), delete the cookies, press the attach button, -> redirect -> login -> error
- 29 Jul 2015
After working on this for hours, I'm getting no closer. path_info is bytes, not characters, so it writes to the cache just fine. I don't think that's the issue. But somehow the topic name gets double-encoded on return from the login redirect.
I'm a bit concerned about processing of the path_info in Engine::CGI and other places. We do character / string manipulation of the path without first decoding it into characters. For ex. Engine::CGI looks for and truncates any quotes in the path.
- 30 Jul 2015
Downgrading this to Normal... The redirect process during an upload works fine for a "strikeone" redirect. it's only the authentication redirect that breaks, and only when redirecting during an upload after the cookie has been invalidate. The corrupted path_name is worrying, but CDot pointed out that in this situation the session id changes, which will probably break things anyway.
Leaving it waiting for feedback.
- 31 Jul 2015
I don't think this is anything to do with the cache. I think it's to do with whatever fills in the form in the login page, it looks like it's saving a URL with a UTF-8 path as bytes.
- 07 Sep 2015 - 13:26
Bumping this back to urgent. As of Sept. 7 release meeting, Crawford considers it a blocker.
- 07 Sep 2015
Changed the summary from "Foswiki::Request::Cache fails to correctly cache/restore utf8 topic names" which is wrong.
The problem is that the PATH_INFO macro used (only) in the login form is expanded incorrectly to a byte string. It needs encoding.
Note that upload through a login still doesn't work, as it appears the temp file is deleted from the CGI cache. But that's a different problem.
- 08 Sep 2015 - 08:49