Merge branch 'fix/Encode_actions_base64' into 'master'

Encode action values in base64 instead of url_encode (because of UrlRewrite)

L'URL rewriting gère mal les caractères encodés, ils les décodent à la volé.
Ce qui fait que `%26` devient `&` et fait bugger quand l'url est de la forme `x.php?name=Titi%26Toto`, il la traduit en `x.php?name=Titi&Toto`. `x` est alors égal à `Titi`, et un paramètre Toto fait son apparition.

Avec apache, il faut utiliser le flag `[B]`. N'ayant pas trouvé de solution pour nginx on a choisi d'encoder tout en base64.

See merge request !94
This commit is contained in:
Antonin 2015-11-30 20:43:47 +01:00
commit 2fd5b3e13d
7 changed files with 33 additions and 15 deletions

View File

@ -246,6 +246,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
if (!empty($_GET['delete_vote'])) { if (!empty($_GET['delete_vote'])) {
$vote_id = filter_input(INPUT_GET, 'delete_vote', FILTER_VALIDATE_INT); $vote_id = filter_input(INPUT_GET, 'delete_vote', FILTER_VALIDATE_INT);
$vote_id = Utils::base64url_decode($vote_id);
if ($adminPollService->deleteVote($poll_id, $vote_id)) { if ($adminPollService->deleteVote($poll_id, $vote_id)) {
$message = new Message('success', __('adminstuds', 'Vote deleted')); $message = new Message('success', __('adminstuds', 'Vote deleted'));
} else { } else {
@ -361,6 +362,7 @@ if (isset($_POST['confirm_delete_poll'])) {
if (!empty($_GET['delete_column'])) { if (!empty($_GET['delete_column'])) {
$column = filter_input(INPUT_GET, 'delete_column', FILTER_DEFAULT); $column = filter_input(INPUT_GET, 'delete_column', FILTER_DEFAULT);
$column = Utils::base64url_decode($column);
if ($poll->format === 'D') { if ($poll->format === 'D') {
$ex = explode('@', $column); $ex = explode('@', $column);
@ -385,15 +387,15 @@ if (!empty($_GET['delete_column'])) {
// Add a slot // Add a slot
// ------------------------------- // -------------------------------
if (isset($_GET['add_slot'])) { if (isset($_GET['add_column'])) {
$smarty->assign('poll_id', $poll_id); $smarty->assign('poll_id', $poll_id);
$smarty->assign('admin_poll_id', $admin_poll_id); $smarty->assign('admin_poll_id', $admin_poll_id);
$smarty->assign('format', $poll->format); $smarty->assign('format', $poll->format);
$smarty->assign('title', __('Generic', 'Poll') . ' - ' . $poll->title); $smarty->assign('title', __('Generic', 'Poll') . ' - ' . $poll->title);
$smarty->display('add_slot.tpl'); $smarty->display('add_column.tpl');
exit; exit;
} }
if (isset($_POST['confirm_add_slot'])) { if (isset($_POST['confirm_add_column'])) {
try { try {
if ($poll->format === 'D') { if ($poll->format === 'D') {
$newdate = strip_tags($_POST['newdate']); $newdate = strip_tags($_POST['newdate']);

View File

@ -200,7 +200,7 @@ class AdminPollService {
* @throws MomentAlreadyExistsException When the moment to add already exists in database * @throws MomentAlreadyExistsException When the moment to add already exists in database
*/ */
public function addDateSlot($poll_id, $datetime, $new_moment) { public function addDateSlot($poll_id, $datetime, $new_moment) {
$this->logService->log('ADD_SLOT', 'id:' . $poll_id . ', datetime:' . $datetime . ', moment:' . $new_moment); $this->logService->log('ADD_COLUMN', 'id:' . $poll_id . ', datetime:' . $datetime . ', moment:' . $new_moment);
$slots = $this->slotRepository->listByPollId($poll_id); $slots = $this->slotRepository->listByPollId($poll_id);
$result = $this->findInsertPosition($slots, $datetime); $result = $this->findInsertPosition($slots, $datetime);
@ -243,7 +243,7 @@ class AdminPollService {
* @throws MomentAlreadyExistsException When the moment to add already exists in database * @throws MomentAlreadyExistsException When the moment to add already exists in database
*/ */
public function addClassicSlot($poll_id, $title) { public function addClassicSlot($poll_id, $title) {
$this->logService->log('ADD_SLOT', 'id:' . $poll_id . ', title:' . $title); $this->logService->log('ADD_COLUMN', 'id:' . $poll_id . ', title:' . $title);
$slots = $this->slotRepository->listByPollId($poll_id); $slots = $this->slotRepository->listByPollId($poll_id);

View File

@ -105,7 +105,7 @@ class Utils {
*/ */
public static function getUrlSondage($id, $admin = false, $vote_id = '', $action = null, $action_value = null) { public static function getUrlSondage($id, $admin = false, $vote_id = '', $action = null, $action_value = null) {
// URL-Encode $action_value // URL-Encode $action_value
$action_value = $action_value == null ? null : urlencode($action_value); $action_value = $action_value == null ? null : Utils::base64url_encode($action_value);
if (URL_PROPRE) { if (URL_PROPRE) {
if ($admin === true) { if ($admin === true) {
@ -115,8 +115,12 @@ class Utils {
} }
if ($vote_id != '') { if ($vote_id != '') {
$url .= '/vote/' . $vote_id . "#edit"; $url .= '/vote/' . $vote_id . "#edit";
} elseif ($action != null && $action_value != null) { } elseif ($action != null) {
$url .= '/action/' . $action . '/' . $action_value; if ($action_value != null) {
$url .= '/action/' . $action . '/' . $action_value;
} else {
$url .= '/action/' . $action;
}
} }
} else { } else {
if ($admin === true) { if ($admin === true) {
@ -126,8 +130,12 @@ class Utils {
} }
if ($vote_id != '') { if ($vote_id != '') {
$url .= '&vote=' . $vote_id . "#edit"; $url .= '&vote=' . $vote_id . "#edit";
} elseif ($action != null && $action_value != null) { } elseif ($action != null) {
$url .= '&' . $action . "=" . $action_value; if ($action_value != null) {
$url .= '&' . $action . "=" . $action_value;
} else {
$url .= '&' . $action . "=";
}
} }
} }
@ -200,4 +208,12 @@ class Utils {
public static function fromPostOrDefault($postKey, $default = '') { public static function fromPostOrDefault($postKey, $default = '') {
return !empty($_POST[$postKey]) ? Utils::htmlEscape($_POST[$postKey]) : $default; return !empty($_POST[$postKey]) ? Utils::htmlEscape($_POST[$postKey]) : $default;
} }
public static function base64url_encode($input) {
return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
}
public static function base64url_decode($input) {
return base64_decode(str_pad(strtr($input, '-_', '+/'), strlen($input) % 4, '=', STR_PAD_RIGHT));
}
} }

View File

@ -9,9 +9,9 @@
RewriteRule . - [L] RewriteRule . - [L]
RewriteRule ^([a-zA-Z0-9]{16})$ studs.php?poll=$1 [L] RewriteRule ^([a-zA-Z0-9]{16})$ studs.php?poll=$1 [L]
RewriteRule ^([a-zA-Z0-9]{16})/action/([a-zA-Z_-]+)/(.+)$ studs.php?poll=$1&$2=$3 [B] RewriteRule ^([a-zA-Z0-9]{16})/action/([a-zA-Z_-]+)/(.+)$ studs.php?poll=$1&$2=$3
RewriteRule ^([a-zA-Z0-9]{16})/vote/([a-zA-Z0-9]{16})$ studs.php?poll=$1&vote=$2 RewriteRule ^([a-zA-Z0-9]{16})/vote/([a-zA-Z0-9]{16})$ studs.php?poll=$1&vote=$2
RewriteRule ^([a-zA-Z0-9]{24})/admin$ adminstuds.php?poll=$1 RewriteRule ^([a-zA-Z0-9]{24})/admin$ adminstuds.php?poll=$1
RewriteRule ^([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$ adminstuds.php?poll=$1&vote=$2 RewriteRule ^([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$ adminstuds.php?poll=$1&vote=$2
RewriteRule ^([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)/(.+)$ adminstuds.php?poll=$1&$2=$3 [B] RewriteRule ^([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/(.+))?$ adminstuds.php?poll=$1&$2=$4
</IfModule> </IfModule>

View File

@ -32,7 +32,7 @@
{/if} {/if}
<div class="form-group"> <div class="form-group">
<button class="btn btn-default" type="submit" name="back">{__('adminstuds', 'Back to the poll')}</button> <button class="btn btn-default" type="submit" name="back">{__('adminstuds', 'Back to the poll')}</button>
<button type="submit" name="confirm_add_slot" class="btn btn-success">{__('adminstuds', 'Add a column')}</button> <button type="submit" name="confirm_add_column" class="btn btn-success">{__('adminstuds', 'Add a column')}</button>
</div> </div>
</div> </div>
</form> </form>

View File

@ -21,7 +21,7 @@
</td> </td>
{/foreach} {/foreach}
<td> <td>
<a href="{poll_url id=$admin_poll_id admin=true action='add_slot' action_value=true}" <a href="{poll_url id=$admin_poll_id admin=true action='add_column'}"
class="btn btn-link btn-sm" title="{__('adminstuds', 'Add a column')}"> class="btn btn-link btn-sm" title="{__('adminstuds', 'Add a column')}">
<i class="glyphicon glyphicon-plus text-success"></i><span class="sr-only">{__('Poll results', 'Add a column')}</span> <i class="glyphicon glyphicon-plus text-success"></i><span class="sr-only">{__('Poll results', 'Add a column')}</span>
</a> </a>

View File

@ -27,7 +27,7 @@
{/foreach} {/foreach}
{/foreach} {/foreach}
<td> <td>
<a href="{poll_url id=$admin_poll_id admin=true action='add_slot' action_value=true}" <a href="{poll_url id=$admin_poll_id admin=true action='add_column'}"
class="btn btn-link btn-sm" title="{__('adminstuds', 'Add a column')}"> class="btn btn-link btn-sm" title="{__('adminstuds', 'Add a column')}">
<i class="glyphicon glyphicon-plus text-success"></i><span class="sr-only">{__('Poll results', 'Add a column')}</span> <i class="glyphicon glyphicon-plus text-success"></i><span class="sr-only">{__('Poll results', 'Add a column')}</span>
</a> </a>