Commit 67db4046 authored by sikeda's avatar sikeda
Browse files

[change] WWSympa: Action URLs no longer may contain e-mail addresses in their...

[change] WWSympa: Action URLs no longer may contain e-mail addresses in their path components.  For example:
  http://host.name/sympa/editsubscriber/list/email%40addr.ess
  ...is no longer available;
  http://host.name/sympa/editsubscriber/list?email=email%40addr.ess
  ...may be used ("%40" is the encoded form of "@").

Because, e-mail addresses can contain slashes ("/") while web servers cannot handle slashes in URL path appropriately: Query parameter would be better to be used.


git-svn-id: https://subversion.renater.fr/sympa/branches/sympa-6.2-branch@12934 05aa8bb8-cd2b-0410-b1d7-8918dfa770ce
parent 5e563838
......@@ -6,10 +6,11 @@
<input type="hidden" name="previous_action" value="[% previous_action %]" />
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="email" value="[% current_subscriber.escaped_email %]" />
<input type="hidden" name="email" value="[% current_subscriber.email %]" />
<label for="new_email">[%|loc%]Email:[%END%] </label>
<input type="text" name="new_email" id="new_email" value="[% current_subscriber.escaped_email %]" size="25" />
<input type="text" name="new_email" id="new_email"
value="[% current_subscriber.email %]" size="25" />
<label for="gecos">[%|loc%]Name:[%END%] </label>
<input type="text" name="gecos" id="gecos" value="[% current_subscriber.gecos %]" size="25" />
......@@ -42,15 +43,21 @@
<label>[%|loc%]Language:[%END%] </label>[% current_subscriber.lang %]
[% IF pictures_display %]
<label for="picture">[%|loc%]Picture:[%END%] </label>
<a id="picture" href="[% current_subscriber.pictures_url %]" title="[% current_subscriber.pictures_url %],[%|loc%]Open in a new window[%END%]" target="pictures">
<img id="large_picture" src="[% current_subscriber.pictures_url %]" alt="[% current_subscriber.escaped_email %]'s picture"/>
</a>
[% IF current_subscriber.escaped_email == user.email %]
[% IF pictures_display ~%]
[% IF current_subscriber.pictures_url || current_subscriber.email == user.email ~%]
<label for="picture">[%|loc%]Picture:[%END%] </label>
[%~ END %]
[% IF current_subscriber.pictures_url ~%]
<a id="picture" href="[% current_subscriber.pictures_url %]"
title="[%|loc%]Open in a new window[%END%]" target="pictures">
<img id="large_picture" src="[% current_subscriber.pictures_url %]"
alt="[%|loc(current_subscriber.email)%]%1's picture[%END%]" />
</a>
[%~ END %]
[% IF current_subscriber.email == user.email ~%]
<p><a href="[% 'suboptions' | url_rel([list]) %]" title="">[%|loc%]Changing your picture for this list[%END%]</a></p>
[% END %]
[% END %]
[%~ END %]
[%~ END %]
[% IF additional_fields %]
[% FOREACH field = additional_fields %]
......@@ -79,9 +86,9 @@
[% IF current_subscriber.bounce %]
<h3 class="bg_color_error">[%|loc%]Bouncing address[%END%]</h3>
[% IF current_subscriber.escaped_bounce_address %]
[% IF current_subscriber.bounce_address %]
<label>[%|loc%]Address detected via VERP technology[%END%] </label>
[% current_subscriber.escaped_bounce_address %]
[% current_subscriber.bounce_address %]
[% END %]
<label>[%|loc%]Status:[%END%] </label>
......@@ -112,8 +119,8 @@
</p>
</div>
<a href="[% 'viewbounce' | url_rel([list,current_subscriber.email]) %]"
onclick="$('.viewmod').hide();$('#viewbounce').load('[% 'ajax/viewbounce' | url_rel([list,current_subscriber.email]) %]').parent().show(); return false">[%|loc%]View last bounce[%END%]</a>
<a href="[% 'viewbounce' | url_rel([list],{email=>current_subscriber.email}) %]"
onclick="$('.viewmod').hide();$('#viewbounce').load('[% 'ajax/viewbounce' | url_rel([list],{email=>current_subscriber.email}) %]').parent().show(); return false">[%|loc%]View last bounce[%END%]</a>
<input class="MainMenuLinks" type="submit" name="action_resetbounce" value="[%|loc%]Reset errors[%END%]" />
......
......@@ -138,12 +138,25 @@
</li>
[% END %]
<li class="divider hide-for-small"></li>
[% IF authentication_info_url %]
<li><a class="menuLinks" href="[%authentication_info_url%]">[%|loc%]Authentication help[% END %]</a></li>
[% ELSE %]
<li><a href="[% 'firstpasswd' | url_rel([escaped_init_email]) %]">[%|loc%]First login?[%END%]</a></li>
<li><a href="[% 'renewpasswd' | url_rel([escaped_init_email]) %]">[%|loc%]Lost password?[%END%]</a></li>
[% END %]
[% IF authentication_info_url %]
<li><a class="menuLinks" href="[%authentication_info_url%]">
[%|loc%]Authentication help[% END %]
</a></li>
[% ELSIF init_email %]
<li><a href="[% 'firstpasswd' | url_rel([],{email=>init_email}) %]">
[%|loc%]First login?[%END%]
</a></li>
<li><a href="[% 'renewpasswd' | url_rel([],{email=>init_email}) %]">
[%|loc%]Lost password?[%END%]
</a></li>
[% ELSE %]
<li><a href="[% 'firstpasswd' | url_rel %]">
[%|loc%]First login?[%END%]
</a></li>
<li><a href="[% 'renewpasswd' | url_rel %]">
[%|loc%]Lost password?[%END%]
</a></li>
[% END %]
[% IF top_menu %]
</ul>
</li>
......
......@@ -79,10 +79,10 @@
[% END %]
<td>
<input type="checkbox" name="email" value="[% u.escaped_email %]" />
<input type="checkbox" name="email" value="[% u.email %]" />
</td>
<td>
<a href="[% 'editsubscriber' | url_rel([list,u.escaped_email,'reviewbouncing']) %]">[% u.email %]</a>
<a href="[% 'editsubscriber' | url_rel([list],{email=>u.email,previous_action=>action}) %]">[% u.email %]</a>
</td>
<td class="text_center
......
......@@ -84,14 +84,14 @@
[% IF is_owner %]
<td>
<input type="checkbox" name="email" value="[% u.escaped_email %]" />
<input type="checkbox" name="email" value="[% u.email %]" />
</td>
[% END %]
[% IF u.bounce %]
<td colspan="2" class="text-left">
[% IF is_owner %]
<a href="[% 'editsubscriber' | url_rel([list,u.escaped_email,'review']) %]">[% u.email %]</a>
<a href="[% 'editsubscriber' | url_rel([list],{email=>u.email,previous_action=>action}) %]">[% u.email %]</a>
[% ELSE %]
[% u.email %]
[% END %]
......@@ -104,7 +104,7 @@
[% ELSE %]
<td colspan="3" class="text-left">
[% IF is_owner %]
<a href="[% 'editsubscriber' | url_rel([list,u.escaped_email,'review']) %]">[% u.email %]</a>
<a href="[% 'editsubscriber' | url_rel([list],{email=>u.email,previous_action=>action}) %]">[% u.email %]</a>
[% ELSE %]
[% u.email %]
[% END %]
......
......@@ -58,7 +58,7 @@
<input type="hidden" name="envid" value="[% u.envid %]" />
<input type="submit" class="MainMenuLinks"
value="[%|loc%]view[%END%]"
onclick="$('.viewmod').hide();$('#viewbounce[% u.envid %]').load('[% 'ajax/viewbounce' | url_rel([list,u.recipient],{envid=>u.envid}) %]').parent().show(); return false" />
onclick="$('.viewmod').hide();$('#viewbounce[% u.envid %]').load('[% 'ajax/viewbounce' | url_rel([list],{email=>u.recipient,envid=>u.envid}) %]').parent().show(); return false" />
</form>
[% ELSE %]
&nbsp;
......
......@@ -351,7 +351,12 @@ my %auth_action = (
'ticket' => 1,
);
 
## Arguments awaited in the PATH_INFO, depending on the action
# Arguments awaited in the PATH_INFO, depending on the action.
# NOTE:
# * The email addresses should NOT be embedded in PATH_INFO, because included
# slashes (/) cannot be handled correctly by web servers. They are kept just
# for compatibility to earlier releases of Sympa. Use query parameters
# instead.
our %action_args = (
'default' => ['list'],
'editfile' => ['list', 'file', 'previous_action'],
......@@ -384,11 +389,11 @@ our %action_args = (
'add' => ['list', 'email'],
'add_request' => ['list'],
'del' => ['list', 'email'],
'editsubscriber' =>
['list', 'email', 'previous_action', 'custom_attribute'],
# 'editsubscriber' => ['list','email','previous_action'],
'viewbounce' => ['list', 'email', '@file'],
'resetbounce' => ['list', 'email'],
#'editsubscriber' =>
# ['list', 'email', 'previous_action', 'custom_attribute'],
#'editsubscriber' => ['list', 'email', 'previous_action'],
#'viewbounce' => ['list', 'email', '@file'],
#'resetbounce' => ['list', 'email'],
'review' => ['list', 'page', 'size', 'sortby'],
'reviewbouncing' => ['list', 'page', 'size'],
'arc' => ['list', 'month', '@arc_file'],
......@@ -971,9 +976,9 @@ my %filtering = (
#XXX'd_control' => {'path' => 'qencode'},
#XXX'd_change_access' => {'path' => 'qencode'},
#XXX'd_set_owner' => {'path' => 'qencode'},
'requestpasswd' => {'email' => 'fix_escape_uri'},
'viewbounce' => {'email' => 'fix_escape_uri'},
'editsubscriber' => {'email' => 'fix_escape_uri'},
#XXX'requestpasswd' => {'email' => 'fix_escape_uri'},
#XXX'viewbounce' => {'email' => 'fix_escape_uri'},
#XXX'editsubscriber' => {'email' => 'fix_escape_uri'},
## Required because outgoing parameters have been html-escaped in
## edit_list_request
'edit_list' => {'*param*' => 'unescape_html'},
......@@ -2432,14 +2437,12 @@ sub get_parameters {
# $in{$p} = join '/', @tokens;
#}
if ($filtering_action eq 'unescape_html') {
# Sympa's URI escaping subroutine
# (Sympa::Tools::Text::escape_chars()) replaces '/' with
# %A5 ('¥' character). This should be transformed into a
# '/' again.
$in{$p} = Sympa::Tools::Text::unescape_chars($in{$p});
} elsif ($filtering_action eq 'fix_escape_uri') {
$in{$p} =~ s/\xa5/\//g;
#} elsif ($filtering_action eq 'fix_escape_uri') {
# # Sympa::Tools::Text::escape_chars() replaces '/' with
# # %A5 ('¥' character). This should be transformed into a
# # '/' again.
# $in{$p} =~ s{/}{\xa5}g;
} elsif ($filtering_action eq 'normalize') {
$in{$p} =~ s/^\$+//; ## remove leading \s
$in{$p} =~ s/\$+$//; ## remove trailing \s
......@@ -3366,8 +3369,6 @@ sub do_login {
} else {
$in{'init_email'} = $in{'email'};
$param->{'init_email'} = $in{'email'};
$param->{'escaped_init_email'} =
Sympa::Tools::Text::escape_chars($in{'email'});
 
Sympa::Report::reject_report_web('user', 'missing_arg',
{'argument' => 'passwd'},
......@@ -3762,8 +3763,6 @@ sub do_sso_login {
unless ($in{'ticket'}) {
$in{'init_email'} = $in{'email'};
$param->{'init_email'} = $in{'email'};
$param->{'escaped_init_email'} =
Sympa::Tools::Text::escape_chars($in{'email'});
 
Sympa::Report::reject_report_web('user', 'missing_arg',
{'argument' => 'ticket'},
......@@ -4354,15 +4353,11 @@ sub sendssopasswd {
Sympa::Tools::Password::tmp_passwd($email);
}
 
$param->{'newuser'}{'escaped_email'} =
Sympa::Tools::Text::escape_chars($param->{'newuser'}{'email'});
} else {
 
$param->{'newuser'} = {
'email' => $email,
'escaped_email' => Sympa::Tools::Text::escape_chars($email),
'password' => Sympa::Tools::Password::tmp_passwd($email)
'email' => $email,
'password' => Sympa::Tools::Password::tmp_passwd($email)
};
 
}
......@@ -4482,8 +4477,6 @@ sub do_requestpasswd {
{
$param->{'newuser'} =
{'email' => Sympa::Tools::Text::canonic_email($in{'email'})};
$param->{'newuser'}{'escaped_email'} =
Sympa::Tools::Text::escape_chars($param->{'newuser'}{'email'});
}
if ($param->{'one_time_ticket'}) {
$param->{'login_error'} = 'ticket_sent';
......@@ -5324,7 +5317,7 @@ sub do_set {
return undef;
}
 
$email = Sympa::Tools::Text::unescape_chars($in{'email'});
$email = $in{'email'};
} else {
unless ($param->{'user'}{'email'}) {
Sympa::Report::reject_report_web('user', 'no_user', {},
......@@ -6107,8 +6100,6 @@ sub do_subrequest {
unless ($param->{'newuser'}) {
$param->{'newuser'} =
{'email' => Sympa::Tools::Text::canonic_email($in{'email'})};
$param->{'newuser'}{'escaped_email'} =
Sympa::Tools::Text::escape_chars($param->{'newuser'}{'email'});
}
# Need to send a password by email
$param->{'one_time_ticket'} = Sympa::Ticket::create(
......@@ -8002,7 +7993,6 @@ sub do_add_fromsub {
sub do_del {
wwslog('info', '');
 
$in{'email'} = Sympa::Tools::Text::unescape_chars($in{'email'}); #FIXME
my @emails = split /\0/, $in{'email'};
 
$param->{'email'} = [@emails];
......@@ -10211,7 +10201,7 @@ sub do_arcsearch_id {
return undef;
}
 
$in{'msgid'} = Sympa::Tools::Text::unescape_chars($in{'msgid'});
#$in{'msgid'} = Sympa::Tools::Text::unescape_chars($in{'msgid'});
$param->{'msgid'} = $in{'msgid'};
 
$search->limit(1);
......@@ -10998,8 +10988,6 @@ sub do_editsubscriber {
 
my $subscriber;
 
$in{'email'} = Sympa::Tools::Text::unescape_chars($in{'email'});
unless ($subscriber = $list->get_list_member($in{'email'})) {
Sympa::Report::reject_report_web('intern', 'subscriber_not_found',
{'email' => $in{'email'}},
......@@ -11009,12 +10997,6 @@ sub do_editsubscriber {
}
 
$param->{'current_subscriber'} = $subscriber;
$param->{'current_subscriber'}{'escaped_email'} =
Sympa::Tools::WWW::escape_html_minimum(
$param->{'current_subscriber'}{'email'});
$param->{'current_subscriber'}{'escaped_bounce_address'} =
Sympa::Tools::WWW::escape_html_minimum(
$param->{'current_subscriber'}{'bounce_address'});
$param->{'current_subscriber'}{'date'} =
$language->gettext_strftime("%d %b %Y",
localtime($subscriber->{'date'}));
......@@ -11334,10 +11316,6 @@ sub do_reviewbouncing {
$language->gettext_strftime("%d %b %Y",
localtime($i->{'last_bounce'}));
 
## Escape some weird chars
$i->{'escaped_email'} =
Sympa::Tools::Text::escape_chars($i->{'email'});
push @{$param->{'members'}}, $i;
}
 
......@@ -11353,8 +11331,6 @@ sub do_reviewbouncing {
sub do_resetbounce {
wwslog('info', '');
 
$in{'email'} = Sympa::Tools::Text::unescape_chars($in{'email'});
my @emails = split /\0/, $in{'email'};
 
foreach my $email (@emails) {
......@@ -19224,10 +19200,6 @@ sub _prepare_subscriber {
$user->{'domain'} = $1;
$user->{'pictures_url'} = $list->find_picture_url($user->{'email'});
 
## Escape some weird chars
$user->{'escaped_email'} =
Sympa::Tools::Text::escape_chars($user->{'email'});
## Check data sources
$user->{'sources'} = $list->get_datasource_name($user->{'id'})
if ($user->{'id'});
......
......@@ -186,8 +186,7 @@ sub authentication {
$log->syslog('err', 'Incorrect password for user %s', $email);
my $param; #FIXME FIXME: not used.
$param->{'init_email'} = $email;
$param->{'escaped_init_email'} = Sympa::Tools::Text::escape_chars($email);
$param->{'init_email'} = $email;
return undef;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment