Download & Extend

Drupal 4.6.4 encodes invalid arg separator?

Project:Drupal core
Version:4.6.4
Component:base system
Category:bug report
Priority:critical
Assigned:chx
Status:closed (fixed)

Issue Summary

The latest Durpal 4.6.4 upgrade causes invalid arg separator encoding, namely the '&' appears in any internal URLs like column sorting, and there should be only '&'. This appears to be module-independent.

Each additional click on the "offensive" url recodes '&' into '&amp', and '&amp' etc...

I am not that familiar with internal Drupal workings to be able to track this myself.

I've noticed the problem after upgrading from 4.6.3 to 4.6.4. I replaced only the files in includes/ and modules/ directories. In addition to core modules, I have flexinode, gsitemap and poormanscron installed which I did not update. I did not launch update.php as the security notice said there were no changes in API or database.

Comments

#1

Priority:normal» critical

yes - there is a problem with that. I think it is the same issue described here
http://drupal.org/node/39565
but your description is more precise, I think.

#2

Heh, it is the same, yes. We were apparently posting at the same time, as that post did not come up when I searched for it, before I submitted this.

That other post also describes the doubling of any variables that come after failed arg separator, but invalidly url_encoded. This I noticed as well.

Can these two reports be merged?

#3

merge: set one of the reports to duplicate

#4

I have set the other post to duplicate

#5

does anyone know which include this stems from ? I tried replacing the common.inc with an earlier one, but it broke my sites. I think this problem is rather critical as it affects many modules. 4.6.4 is for production and many production sites are now malfunctioning

#6

I think XSS patching did something wrong. I think the problem is in filter.module, or anything else related to XSS.

#7

it happens in any link with "&", not only tables.

#8

Assigned to:Anonymous» chx

psicomante that's VERY helpful, thanks.

#9

Status:active» needs review

Here's what happens. First we do something which (check the code) equals to a check_plain call. Next, we call filter_xss_bad_protocol. Look at the last line of that function... there's the double escape.

I think this is a version agnostic problem.

AttachmentSizeStatusTest resultOperations
check_url.patch525 bytesIgnored: Check issue status.NoneNone

#10

Status:needs review» reviewed & tested by the community

Confirmed the problem in 4.6.4 by going to adminster >> content. Clicking on any of the pagination links at the bottom resulted in double-escaped &, with the effect being that the page would reload but the table contents would remain the same.

This patch solved the problem perfectly.

Setting ready for commit.

#11

I can confirm that this patch works! Thanks CHX :)

#12

we have learned something extremely important here: a good bug report equals the solution. I was aware of this problem for 12+ hrs and was reluctant to look into it. But when it was reported that every url containg the ampersand is affected, I immediately knew what's the problem.

#13

I applied to this page to Drupal 4.6.4 tar ball.

I added 12 pages.

I went to the home page.

I clicked back and forth on the pagination and it works.

Kieran

#14

The patch fixes all link problems but aggregator ones (links to external sites). These links are already saved in DB with '&' instead of '&'. Should I file a bug report in aggregator.module?

#15

The first '&' was '& a m p ;'. Drupal somehow decoded the entity, another bug? :-)

#16

you definitely should

#17

Committed to DRUPAL-4-5, DRUPAL-4-6 and HEAD.

#18

Critical aggregator.module bug caused by XSS filtering patch was filed as http://drupal.org/node/39670 . This is 4.6.4 regression against 4.6.3.

#19

I'm very glad to help this glorious community! thanks CHX ;)

OSS Rocks!

#20

Status:reviewed & tested by the community» fixed

Setting this to fixed, since it was committed.

#21

Are you sure, that this problem is fixed in Drupal 4.6.4 tar.gz distribution? More users are still describing this problem...

#22

No, fixes don't go into a release once it's been packaged. It's fixed in the 4.6 branch of CVS. Once a few more 4.6.4-related bugs are fixed, a 4.6.5 (or 4.6.4.1) will likely be released.

#23

Oh, ah!

I saw this reported here first:
http://drupal.org/node/40094

#24

Status:fixed» closed (fixed)
nobody click here