Not url-encoding deck name - Forum

dindon on 01:58, 28. Aug, 2010

#1

I noticed that if you have a deck with a space in its name, and you edit it, the resulting URL will have a space in it, which is kind of ugly, and suggests that there was no escaping of special characters going on. Sure enough, when I named a deck "purple&berries=12" and clicked the link to view it, I got "Error page Invalid deck."

DPsycho on 02:00, 28. Aug, 2010

#2

That's because your math is wrong. purple&berries is a value waaaaay greater than 12. It's at least 17.

EDIT: Unless the berries are out of season. Unripened berries would lower the value substantially.

purple&berries on 02:09, 28. Aug, 2010

#3

The purple berries definitely don't come into season for another month or so.

Incidentally, this problem also exists with usernames. Sanitization is so important! Go ahead, try to go to my profile.

DPsycho on 02:27, 28. Aug, 2010

#4

I sent a challenge to purple&berries, but you've gone offline by that name. Are you able to accept/reject the challenge? (I ask because, naturally, I can't go to the profile page to rescind the offer.)

purple&berries on 03:22, 28. Aug, 2010

#5

DPsycho wrote:
I sent a challenge to purple&berries, but you've gone offline by that name. Are you able to accept/reject the challenge? (I ask because, naturally, I can't go to the profile page to rescind the offer.)

Yup. Though, if you were really 1337, you could have just hand-crafted the request with the relevant post data.

DPsycho on 03:35, 28. Aug, 2010

#6

Perhaps, but my desire to prove myself 1337 is dwarfed atm by my desire to remain lazy.

Mojko on 08:29, 28. Aug, 2010

#7

Fixed in r1098. Thanks for reporting.

theultramage on 08:35, 28. Aug, 2010

#8

purple&berries wrote:
Incidentally, this problem also exists with usernames. Sanitization is so important! Go ahead, try to go to my profile.

Everything was being sanitized already from the start (plusminus some massive sql injection vulnerabilities that Dindon pointed out), since xslt does that automatically.

However, xslt does not support variable argument lists, so the url generation function had to be delegated to php... and php itself does not do any escaping of anything, hence the produced url came back with its components raw, unescaped, hence the issue. I think r1098 sorts that out.

dimitris on 19:36, 28. Aug, 2010

#9

The best solution for the whole parameter passing mess is mod_rewrite given you have the right permissions to modify apache's configuration.

MArcomage

Free multiplayer on-line fantasy card game

Support > Not url-encoding deck name

Support > Not url-encoding deck name