In the last week or so, I've run into a couple of bugs in Swazoo that may be of interest to any Seasiders using Swazoo in their applications. I've got workarounds for GLASS if anyone is interested.
The first bug is in SwazooURI where the query fields in an URL will be incorrectly parsed if an `&` or other special character is embedded in the value of the field. The following example illustrates the bug: | url ans1 ans2 | url := 'www.foo.com/index.html?foo=1&bar=', 'bar"sample method"^#($&)' encodeForHTTP ans1 := SwazooURI fromString: url. ans2 := SwazooURI new. ans2 fromStream: url readStream. ans1 printString = ans2 printString SwazooURI>>fromString: (called by SwazooURI class>>fromString:) prematurely decodes the input string exposing the `&` and causes the parser to think that there is an additional query field in the input url and results in the truncation of the value of the `bar` field. The fix is to remove the call to HTTPString class>>decodedHTTPFrom: from SwazooURI>>fromString: ... the subsequent parsing of the queryfields already call HTTPString class>>decodedHTTPFrom: This bug is present in Swazoo-2.3beta2.6 ---- The second bug is in WASwazooAdaptor>>requestUrlFor:. In this case WAUrl is fed the printString of the #uri (an instance of SwazooURI) as follows: requestUrlFor: aNativeRequest | url | url := ((WAUrl absolute: aNativeRequest uri printString) decodedWith: self codec). aNativeRequest isEncrypted ifTrue: [ url scheme: 'https' ]. ^ url The problem occurs because WAUrl class>>absolute: expects the url to be url encoded, but the printString for SwazooURI prints the decoded url. Again this causes problems when HTTP special characters are in the input url. The other adaptors feed the 'raw' encoded url string to WAUrl, but the Swazoo adaptor does not ... SwazooURI does not keep the encoded source url around, so in my workaround I changed SwazooURI printQueriesOn: to reencode the query parameters ... Dale _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
>>>>> "Dale" == Dale Henrichs <[hidden email]> writes:
Dale> The first bug is in SwazooURI where the query fields in an URL Dale> will be incorrectly parsed if an `&` or other special character is Dale> embedded in the value of the field. The following example Dale> illustrates the bug: That's not a bug. There's no particular specialness of single or double quotes in a URI. So example.com/xyz?foo=1&bar=2&bletch="foo&bar" is actually ill-formed. It's quite possible that the parameters will end up: foo 1 bar 2 bletch "foo bar" (null) If you want & inside a GET parameter, you have to %-encode it. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
>>>>> "Randal" == Randal L Schwartz <[hidden email]> writes:
Randal> If you want & inside a GET parameter, you have to %-encode it. I missed the part where you are. Sorry. Yeah, it'd be a bug then to double-decode it. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Dale Henrichs
2011/8/3 Dale Henrichs <[hidden email]>:
> In the last week or so, I've run into a couple of bugs in Swazoo that may be of interest to any Seasiders using Swazoo in their applications. I've got workarounds for GLASS if anyone is interested. > > The first bug is in SwazooURI where the query fields in an URL will be incorrectly parsed if an `&` or other special character is embedded in the value of the field. The following example illustrates the bug: > > | url ans1 ans2 | > url := 'www.foo.com/index.html?foo=1&bar=', 'bar"sample method"^#($&)' encodeForHTTP > ans1 := SwazooURI fromString: url. > > ans2 := SwazooURI new. > ans2 fromStream: url readStream. > > ans1 printString = ans2 printString > > SwazooURI>>fromString: (called by SwazooURI class>>fromString:) prematurely decodes the input string exposing the `&` and causes the parser to think that there is an additional query field in the input url and results in the truncation of the value of the `bar` field. The fix is to remove the call to HTTPString class>>decodedHTTPFrom: from SwazooURI>>fromString: ... the subsequent parsing of the queryfields already call HTTPString class>>decodedHTTPFrom: > > This bug is present in Swazoo-2.3beta2.6 Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside SwazooURITest-testFromString.st (536 bytes) Download Attachment |
In reply to this post by Dale Henrichs
2011/8/3 Dale Henrichs <[hidden email]>:
> In the last week or so, I've run into a couple of bugs in Swazoo that may be of interest to any Seasiders using Swazoo in their applications. I've got workarounds for GLASS if anyone is interested. > > The first bug is in SwazooURI where the query fields in an URL will be incorrectly parsed if an `&` or other special character is embedded in the value of the field. The following example illustrates the bug: > > | url ans1 ans2 | > url := 'www.foo.com/index.html?foo=1&bar=', 'bar"sample method"^#($&)' encodeForHTTP > ans1 := SwazooURI fromString: url. > > ans2 := SwazooURI new. > ans2 fromStream: url readStream. > > ans1 printString = ans2 printString > > SwazooURI>>fromString: (called by SwazooURI class>>fromString:) prematurely decodes the input string exposing the `&` and causes the parser to think that there is an additional query field in the input url and results in the truncation of the value of the `bar` field. The fix is to remove the call to HTTPString class>>decodedHTTPFrom: from SwazooURI>>fromString: ... the subsequent parsing of the queryfields already call HTTPString class>>decodedHTTPFrom: > > This bug is present in Swazoo-2.3beta2.6 > > ---- > > The second bug is in WASwazooAdaptor>>requestUrlFor:. In this case WAUrl is fed the printString of the #uri (an instance of SwazooURI) as follows: > > requestUrlFor: aNativeRequest > | url | > url := ((WAUrl absolute: aNativeRequest uri printString) > decodedWith: self codec). > aNativeRequest isEncrypted > ifTrue: [ url scheme: 'https' ]. > ^ url > > The problem occurs because WAUrl class>>absolute: expects the url to be url encoded, but the printString for SwazooURI prints the decoded url. Again this causes problems when HTTP special characters are in the input url. The other adaptors feed the 'raw' encoded url string to WAUrl, but the Swazoo adaptor does not ... SwazooURI does not keep the encoded source url around, so in my workaround I changed SwazooURI printQueriesOn: to reencode the query parameters ... Since it's already parsed I think it would be better to create the WAUrl from the SwazooURI without serializing and parsing again. I'll look into it. http://code.google.com/p/seaside/issues/detail?id=674 Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Dale Henrichs
2011/8/3 Dale Henrichs <[hidden email]>:
> In the last week or so, I've run into a couple of bugs in Swazoo that may be of interest to any Seasiders using Swazoo in their applications. I've got workarounds for GLASS if anyone is interested. > > The first bug is in SwazooURI where the query fields in an URL will be incorrectly parsed if an `&` or other special character is embedded in the value of the field. The following example illustrates the bug: > > | url ans1 ans2 | > url := 'www.foo.com/index.html?foo=1&bar=', 'bar"sample method"^#($&)' encodeForHTTP > ans1 := SwazooURI fromString: url. > > ans2 := SwazooURI new. > ans2 fromStream: url readStream. > > ans1 printString = ans2 printString > > SwazooURI>>fromString: (called by SwazooURI class>>fromString:) prematurely decodes the input string exposing the `&` and causes the parser to think that there is an additional query field in the input url and results in the truncation of the value of the `bar` field. The fix is to remove the call to HTTPString class>>decodedHTTPFrom: from SwazooURI>>fromString: ... the subsequent parsing of the queryfields already call HTTPString class>>decodedHTTPFrom: > > This bug is present in Swazoo-2.3beta2.6 decoded. See attached test. Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside SwazooURITest-testIdentifierPathEncoded.st (632 bytes) Download Attachment |
Free forum by Nabble | Edit this page |