[Tickets #14148] Re: vacation, spam & forward double encoding
noreply at bugs.horde.org
noreply at bugs.horde.org
Mon Nov 2 18:22:39 UTC 2015
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/14148
------------------------------------------------------------------------------
Ticket | 14148
Updated By | Michael Rubinsky <mrubinsk at horde.org>
Summary | vacation, spam & forward double encoding
Queue | Horde Framework Packages
Type | Bug
State | Resolved
Priority | 1. Low
Milestone |
Patch |
Owners | Michael Rubinsky
------------------------------------------------------------------------------
Michael Rubinsky <mrubinsk at horde.org> (2015-11-02 18:22) wrote:
> This isn't correct and opens a security issue in Horde_Form. We
> should probably rather make sure that we don't pass the encoded URL
> to Horde_Form from Ingo. Probably need to set ->raw in the passed
> Horde_Url.
But it's not already encoded. What was removed was the "action"
attribute being run through htmlspecialchars, which isn't really
appropriate for encoding an actual URL. e.g.:
htmlspecialchars('/some/page.php?foo=bar&bar=foo')
does not result in a valid, working url.
More information about the bugs
mailing list