Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Line 1164:
drupal_urlencode(implode(',', array_keys($form_state['values']['status']))),
This double-encodes the URL attributes as they also get encoded when used in the $form_state['redirect'] parameter.
Changed to:
implode(',', array_keys($form_state['values']['status'])),
Double URL encoding trips many intrusion detection systems - our client was unable to run a custom sales report as our firewall would filter the request.
Comments
Comment #1
garethsprice CreditAttribution: garethsprice commentedSorry, line 1164 of uc_reports.admin.inc
Comment #2
TR CreditAttribution: TR commentedThanks. A similar fix is already in 7.x-3.x, so this does not need to be forward-ported.
Comment #4
vood002 CreditAttribution: vood002 commentedJust a note---the same problem pops up in
function uc_reports_products_custom_form_submit($form, &$form_state) {
, somewhere around line 530 (my uc is patched so I'm not sure). You'll have to switch this one as well.