cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item6022 (08 Jan 2009, KwangErnLiew)Edit Attach

Item6022: ENCODE{} treats % as safe character

pencil
Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Component: TWiki.pm
Branches:
Reported By: TWiki:Main.AndreLichtsteiner
Waiting For:
Last Change By: KwangErnLiew
The %-Sign (per cent) is according to RFC 1738 unsafe. (2.2. URL Character Encoding Issues: The character "%" is unsafe because it is used for encodings of other characters.)

But the TWiki Variable %ENCODE{}% treats % (per cent) as a safe letter instead of transforming it to %25.

Test

Test:

  • ?value=%ENCODE{"%9600" type="url"}%

results in:

  • ?value=%259600 (results in 4.22 as %9600)
  • value will be seen as -00

expected:

  • ?value=%259600
  • value will be seen as %9600

proposed patch: /lib/TWiki.pm
2403c2403
<    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/%])/'%'.sprintf('%02x',ord($1))/ge;
---
>    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;

-- TWiki:Main/AndreLichtsteiner - 25 Sep 2008

Elevating to urgent.

Any voices against Andre's conclusions? Things that will break?

Otherwise I will commit the patch. Will wait a few days

-- TWiki:Main.KennethLavrsen - 29 Sep 2008

sorry, couldn't wait any longer smile

-- SvenDowideit - 05 Oct 2008

ItemTemplate edit

Summary ENCODE{} treats % as safe character
ReportedBy TWiki:Main.AndreLichtsteiner
Codebase
SVN Range TWiki-5.0.0, Tue, 23 Sep 2008, build 17539
AppliesTo Engine
Component TWiki.pm
Priority Urgent
CurrentState Closed
WaitingFor
Checkins TWikirev:17588
TargetRelease patch
ReleasedIn
Topic revision: r9 - 08 Jan 2009, KwangErnLiew - This page was cached on 22 Mar 2018 - 23:22.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License