Mahara

Transient login form can't handle array variables

Bug #1480764 reported by Aaron Wells on 2015-08-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Low	Aaron Wells	Mahara 15.10.0
	15.10	Fix Released	Undecided	Unassigned

Bug Description

You know how, when you're logged out of Mahara and you try to go to a page that isn't shared with the public, and you see a login form? We call that the "transient login page".

It tries to be smart and remember the URL that you were trying to reach, and then forward you on there again after you log in. But the code that does just iterates over $_GET and runs htmlspecialchars() on each key & value. And this causes problems if the URL contains array values, i.e. http://www.example.com?foo[]=value1&foo[]=value2

Tags:

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-08-03: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/5036

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-08-03:

To test:

1. Create a Portfolio page
2. Copy the URL for the page, e.g. https://vegas.wgtn.cat-it.co.nz/mahara/htdocs/view/view.php?id=8
3. Manually add "&foo[]=bar&foo[]=baz" to the end of the URL, e.g. https://vegas.wgtn.cat-it.co.nz/mahara/htdocs/view/view.php?id=8&foo[]=bar&foo[]=baz
4. Log out
5. Go to the manually altered URL you created in step 3
6. You should see the transient login screen.
7. Log in at the transient login screen.

Expected result: You should see your array variables at the end of the URL (possibly with explicity numeric keys; that's okay), e.g. https://vegas.wgtn.cat-it.co.nz/mahara/htdocs/view/view.php?id=8&foo[1]=bar&foo[2]=baz

Actual result: You Do not see the array variables at the end of the URL. And, you will see a warning in the logs: "[WAR] ec (lib/web.php:3205) htmlspecialchars() expects parameter 1 to be string, array given"

tags:

added: behatnotneeded

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-08-12: A change has been merged

Reviewed: https://reviews.mahara.org/5036
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/409036dbbe5ce15dd0c6f3819510be4818f15d71
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 409036dbbe5ce15dd0c6f3819510be4818f15d71
Author: Aaron Wells <email address hidden>
Date: Mon Aug 3 16:57:23 2015 +1200

Better handling of array-based variables for transient login form (Bug 1480764)

(behatnotneeded)

Change-Id: I2d9a0a140e57c9b040fb3d19243a6bef8f7aa505

Robert Lyon (robertl-9) on 2015-08-12

Changed in mahara:
status:	In Progress → Fix Committed

Robert Lyon (robertl-9) on 2016-11-06

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-vegas.wgtn.cat-it.co.nz-1 #8 Edit

Bug watches keep track of this bug in other bug trackers.