Line 1164:

drupal_urlencode(implode(',', array_keys($form_state['values']['status']))),

This double-encodes the URL attributes as they also get encoded when used in the $form_state['redirect'] parameter.

Changed to:

implode(',', array_keys($form_state['values']['status'])),

Double URL encoding trips many intrusion detection systems - our client was unable to run a custom sales report as our firewall would filter the request.

Comments

garethsprice’s picture

Sorry, line 1164 of uc_reports.admin.inc

TR’s picture

Status: Active » Fixed

Thanks. A similar fix is already in 7.x-3.x, so this does not need to be forward-ported.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

vood002’s picture

Just a note---the same problem pops up in function uc_reports_products_custom_form_submit($form, &$form_state) {, somewhere around line 530 (my uc is patched so I'm not sure). You'll have to switch this one as well.