Item13837: Foswiki::Func::getScriptUrl() generates broken URL if any parameters contain embedded # characters.
Priority: Urgent
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Component: FoswikiFunc
Branches: master
Since Foswiki 2.0.0 there is a problem editing actions created with the
ActionTrackerPlugin. The problem is related to the fact that the sequence of the parameters in the edit URL changes randomly. Even within one table containing several actions the sequence can be different from one action to another. Prior versions of Foswiki (tested with 1.1.9) do not show this problem. While the sequence there is also random obviously it doesn't matter. In Foswiki installations from version 2.0.0 on this proplem occurs. The result is either coming up with the correct template or opening with the default template or showing the error message "Bad URL parameters; atp_action is not set". After tracking this issue further down, I found out that the sequence of the parameters "skin", "origin" and "atp_action" is critical while the position of the parameters "t" and "nowysiwyg" in the URL doesn't seem to matter.
This is the result of the permutations of "skin", "origin" and "atp_action"
sequence |
result |
skin, origin, atp_action |
Bad URL parameters; atp_action is not set |
origin, skin, atp_action |
edit opens with standard template |
atp_action, origin, skin |
edit opens with standard template |
origin, atp_action, skin |
edit opens with standard template |
skin, atp_action, origin |
OK |
atp_action, skin, origin |
OK |
--
GerhardHeimlinger - 26 Oct 2015
Originally reported as:
ActionTrackerPlugin - Problem editing Actions (broken since Foswiki 2.0.0)
After some discussion on IRC the issue here is a # is slipping through in one of the individual URL parameters.
http://somesite.com/foswiki/bin/edit/Sandbox/CommentPluginExamples?t=1446126138;nowysiwyg=1;atp_action=000001;origin=Sandbox.TestActionTrackerPlugin#Sandbox:CommentPluginExamples:000001;skin=action,natedit,pattern
The # in
origin=Sandbox.TestActionTrackerPlugin#Sandbox:CommentPluginExamples:000001;
is not encoded, and causes the parameters to be truncated at the # fragment indicator.
The bug was introduced in
distro:e47b5ab82087e375c6a1015efc414e55de0e056b as part of unit test fixes.
Right now I'm still guessing, but this is the failing use case:
-
Foswiki::Func::getScriptUrl
(called with an array of URL parameters) which calls:
-
Foswiki::getScriptURL()
, which calls Foswiki::urlEncode()
on each parameter in the array.
- A special parameter named # is used to generate the fragment at the end of the URL
- In this use case, # appearing in other parameters must be encoded, or it will generate an broken URL.
--
Main.GeorgeClark - 29 Oct 2015 - 14:05
Crawford, the unit tests pass with this patched to encode #, except for the test that explicitly tests the encoding of url parameters. I don't understand why added # to the list of safe characters. It doesn't appear to be a typo. Do you have any recollection?
--
GeorgeClark - 29 Oct 2015
The RFC is confusing.... but encoding # would seem to be essential
--
Main.CrawfordCurrie - 02 Nov 2015 - 15:54