Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-12412

Redirect from secure zones causes redirection twice which messes up urls with special characters

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Medium Medium
    • Resolution: Fixed
    • Affects Version/s: 3.10.0
    • Fix Version/s: Customer request
    • Labels:
      None
    • Environment:

      Operating System: Linux, Debian etch
      PHP Version: 4.4.4-8+etch4
      Database and version: MySQL 5.0.32-Debian_7etch4-log
      Browser (and version):All

      Description

      If you have an article name with special characters, for example the special norwegian letters æøå, these will appear in the articles URL. This URL will be encoded each time a redirection occurs.

      The problem is that sometimes when SSLZones are enabled, redirection after for example /user/login happens twice. First time from https://user/login to https://articleurl. The second time from https://articleurl to http://articleurl

      For each of these redirections eZHTTPTool::redirect( ... ) will be called. This function will again call $url = eZURI::encodeURL( $url );

      Since encodeURL(...) is calles twice, all letters of the url will be encoded twice. This means thatfor example the letter ø will first be encoded to %C3%B8. The next time each % character will be encoded to %25 giving the resulting and invalid %25C3%25B8 encoding for the ø.

      Steps to reproduce

      Set up a site with SSLZones enabled for user login. Create an article with a special character in the title. Go to the article. Then try login in.

      1. sslzone-encodeurl.diff
        1 kB
        (inactive) Gunnstein Lye
      2. sslzone-encodeurl-doc.diff
        2 kB
        (inactive) Gunnstein Lye

        Issue Links

          Activity

          Hide
          (inactive) Gunnstein Lye added a comment -

          Suggestion:
          What if we add a boolean encodeURL parameter to eZHTTPTool::redirect, defaulting to true, but set to false in eZSSLZone::switchIfNeeded()? It's backwards compatible, but I'm not sure about other consequences.

          Are there situations where this simple solution would not work? Example: Are there situations where we have double encodings, other than in eZSSLZone? Are there situations where this conversion is always needed?

          I can't research this now, but hoping to be able to look closer into it.

          Show
          (inactive) Gunnstein Lye added a comment - Suggestion: What if we add a boolean encodeURL parameter to eZHTTPTool::redirect, defaulting to true, but set to false in eZSSLZone::switchIfNeeded()? It's backwards compatible, but I'm not sure about other consequences. Are there situations where this simple solution would not work? Example: Are there situations where we have double encodings, other than in eZSSLZone? Are there situations where this conversion is always needed? I can't research this now, but hoping to be able to look closer into it.
          Hide
          (inactive) Gunnstein Lye added a comment -

          In reply to comment #044530
          The attached patch implements the suggestion.sslzone-encodeurl.diff

          Show
          (inactive) Gunnstein Lye added a comment - In reply to comment #044530 The attached patch implements the suggestion. sslzone-encodeurl.diff
          Hide
          (inactive) Gunnstein Lye added a comment -

          In reply to comment #044531
          The attached patch contains the fix and adds function documentation. Tested and verified on trunk 4.2.sslzone-encodeurl-doc.diff

          Show
          (inactive) Gunnstein Lye added a comment - In reply to comment #044531 The attached patch contains the fix and adds function documentation. Tested and verified on trunk 4.2. sslzone-encodeurl-doc.diff
          Hide
          (inactive) Gunnstein Lye added a comment - - edited

          Fixed in trunk rev. 23691
          Merged in stable/4.1 (4.1.4) rev. 23692
          Merged in stable/4.0 (4.0.7) rev. 23693

          Show
          (inactive) Gunnstein Lye added a comment - - edited Fixed in trunk rev. 23691 Merged in stable/4.1 (4.1.4) rev. 23692 Merged in stable/4.0 (4.0.7) rev. 23693
          Hide
          ezrobot added a comment -

          This issue has been automatically closed due to the lack of activity over a long period of time. It is very likely that it is obsolete, but if you think it is still valid, do not hesitate to reopen it and mention why.

          Show
          ezrobot added a comment - This issue has been automatically closed due to the lack of activity over a long period of time. It is very likely that it is obsolete, but if you think it is still valid, do not hesitate to reopen it and mention why.

            People

            • Assignee:
              (inactive) Gunnstein Lye
              Reporter:
              Atle Pedersen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: