Item13583: Login form populated with incorrect path info.

-- GeorgeClark - 29 Jul 2015

From IRC:

(04:31:45 PM) gac410: jomo,  by bet is we've got another utf8 error waiting here:  https://github.com/foswiki/distro/blob/master/core/lib/Foswiki/Request/Cache.pm#L63
(04:32:46 PM) gac410: I'm guessing that it should be opened for utf8,   unless the request is already encoded
(04:33:20 PM) jomo: hm never used the cache yet
(04:33:59 PM) gac410: It's used during certain redirects.  Login required during an upload for eg.   
(04:34:17 PM) gac410: This is not the page cache.  
(04:34:28 PM) jomo: ah so...
(04:34:34 PM) jomo: wondering how to test
(04:35:36 PM) gac410: maybe get ready to attach a utf8 file to a utf8 topic,  but delete your cgisess_ file.  Then try upload.  It should cache your request,  authenticate, and then come back to the upload ....   I think.
(04:36:01 PM) jomo: maybe not - Cdot decided NOT decode ENV e.g. the PATH_INFO is still bytes (but im not sure)..
(04:36:29 PM) gac410: ah yeah.   probably safe then.
(04:36:59 PM) jomo: going to experiment
(04:40:35 PM) jomo: Do you have an incredibly good "nose"!!!
(04:40:37 PM) jomo: Attention
(04:40:37 PM) jomo: "Sandbox.ŽuŽu" topic does not exist
(04:40:51 PM) jomo: the topic is called as ŽuŽu
(04:42:12 PM) jomo: repo - create a unicode topicname, press attach, prepare the upload (fill all things), delete the cookies, press the attach button, -> redirect -> login -> error

-- GeorgeClark - 29 Jul 2015

After working on this for hours, I'm getting no closer. path_info is bytes, not characters, so it writes to the cache just fine. I don't think that's the issue. But somehow the topic name gets double-encoded on return from the login redirect.

I'm a bit concerned about processing of the path_info in Engine::CGI and other places. We do character / string manipulation of the path without first decoding it into characters. For ex. Engine::CGI looks for and truncates any quotes in the path.

-- GeorgeClark - 30 Jul 2015

Downgrading this to Normal... The redirect process during an upload works fine for a "strikeone" redirect. it's only the authentication redirect that breaks, and only when redirecting during an upload after the cookie has been invalidate. The corrupted path_name is worrying, but CDot pointed out that in this situation the session id changes, which will probably break things anyway.

Leaving it waiting for feedback.

-- GeorgeClark - 31 Jul 2015

I don't think this is anything to do with the cache. I think it's to do with whatever fills in the form in the login page, it looks like it's saving a URL with a UTF-8 path as bytes.

-- Main.CrawfordCurrie - 07 Sep 2015 - 13:26

Bumping this back to urgent. As of Sept. 7 release meeting, Crawford considers it a blocker.

-- GeorgeClark - 07 Sep 2015

Changed the summary from "Foswiki::Request::Cache fails to correctly cache/restore utf8 topic names" which is wrong.

The problem is that the PATH_INFO macro used (only) in the login form is expanded incorrectly to a byte string. It needs encoding.

Note that upload through a login still doesn't work, as it appears the temp file is deleted from the CGI cache. But that's a different problem.

-- Main.CrawfordCurrie - 08 Sep 2015 - 08:49

Commenting is disabled while not logged in