The latest Durpal 4.6.4 upgrade causes invalid arg separator encoding, namely the '&' appears in any internal URLs like column sorting, and there should be only '&'. This appears to be module-independent.
Each additional click on the "offensive" url recodes '&' into '&', and '&amp' etc...
I am not that familiar with internal Drupal workings to be able to track this myself.
I've noticed the problem after upgrading from 4.6.3 to 4.6.4. I replaced only the files in includes/ and modules/ directories. In addition to core modules, I have flexinode, gsitemap and poormanscron installed which I did not update. I did not launch update.php as the security notice said there were no changes in API or database.
Comment | File | Size | Author |
---|---|---|---|
#9 | check_url.patch | 525 bytes | chx |
Comments
Comment #1
lennart CreditAttribution: lennart commentedyes - there is a problem with that. I think it is the same issue described here
http://drupal.org/node/39565
but your description is more precise, I think.
Comment #2
CoR-1 CreditAttribution: CoR-1 commentedHeh, it is the same, yes. We were apparently posting at the same time, as that post did not come up when I searched for it, before I submitted this.
That other post also describes the doubling of any variables that come after failed arg separator, but invalidly url_encoded. This I noticed as well.
Can these two reports be merged?
Comment #3
chx CreditAttribution: chx commentedmerge: set one of the reports to duplicate
Comment #4
lennart CreditAttribution: lennart commentedI have set the other post to duplicate
Comment #5
lennart CreditAttribution: lennart commenteddoes anyone know which include this stems from ? I tried replacing the common.inc with an earlier one, but it broke my sites. I think this problem is rather critical as it affects many modules. 4.6.4 is for production and many production sites are now malfunctioning
Comment #6
CoR-1 CreditAttribution: CoR-1 commentedI think XSS patching did something wrong. I think the problem is in filter.module, or anything else related to XSS.
Comment #7
psicomante CreditAttribution: psicomante commentedit happens in any link with "&", not only tables.
Comment #8
chx CreditAttribution: chx commentedpsicomante that's VERY helpful, thanks.
Comment #9
chx CreditAttribution: chx commentedHere's what happens. First we do something which (check the code) equals to a check_plain call. Next, we call filter_xss_bad_protocol. Look at the last line of that function... there's the double escape.
I think this is a version agnostic problem.
Comment #10
webchickConfirmed the problem in 4.6.4 by going to adminster >> content. Clicking on any of the pagination links at the bottom resulted in double-escaped &, with the effect being that the page would reload but the table contents would remain the same.
This patch solved the problem perfectly.
Setting ready for commit.
Comment #11
lennart CreditAttribution: lennart commentedI can confirm that this patch works! Thanks CHX :)
Comment #12
chx CreditAttribution: chx commentedwe have learned something extremely important here: a good bug report equals the solution. I was aware of this problem for 12+ hrs and was reluctant to look into it. But when it was reported that every url containg the ampersand is affected, I immediately knew what's the problem.
Comment #13
Amazon CreditAttribution: Amazon commentedI applied to this page to Drupal 4.6.4 tar ball.
I added 12 pages.
I went to the home page.
I clicked back and forth on the pagination and it works.
Kieran
Comment #14
Pogo CreditAttribution: Pogo commentedThe patch fixes all link problems but aggregator ones (links to external sites). These links are already saved in DB with '&' instead of '&'. Should I file a bug report in aggregator.module?
Comment #15
Pogo CreditAttribution: Pogo commentedThe first '&' was '& a m p ;'. Drupal somehow decoded the entity, another bug? :-)
Comment #16
chx CreditAttribution: chx commentedyou definitely should
Comment #17
Dries CreditAttribution: Dries commentedCommitted to DRUPAL-4-5, DRUPAL-4-6 and HEAD.
Comment #18
Pogo CreditAttribution: Pogo commentedCritical aggregator.module bug caused by XSS filtering patch was filed as http://drupal.org/node/39670 . This is 4.6.4 regression against 4.6.3.
Comment #19
psicomante CreditAttribution: psicomante commentedI'm very glad to help this glorious community! thanks CHX ;)
OSS Rocks!
Comment #20
webchickSetting this to fixed, since it was committed.
Comment #21
meba CreditAttribution: meba commentedAre you sure, that this problem is fixed in Drupal 4.6.4 tar.gz distribution? More users are still describing this problem...
Comment #22
webchickNo, fixes don't go into a release once it's been packaged. It's fixed in the 4.6 branch of CVS. Once a few more 4.6.4-related bugs are fixed, a 4.6.5 (or 4.6.4.1) will likely be released.
Comment #23
markus_petrux CreditAttribution: markus_petrux commentedOh, ah!
I saw this reported here first:
http://drupal.org/node/40094
Comment #24
(not verified) CreditAttribution: commented