Closed Bug 223937 Opened 21 years ago Closed 21 years ago

web site error while updating email address

Categories

(Bugzilla :: User Accounts, defect, P1)

Product:
Bugzilla
Component:
User Accounts
Version:
2.17.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: shengh, Assigned: goobix)

Details

(Keywords: regression, Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])

Attachments

(3 files)

Against HEAD
870 bytes, patch
kiko
: review+
myk
: review+
Details | Diff | Splinter Review
Against 2-16-branch
890 bytes, patch
kiko
: review+
myk
: review+
Details | Diff | Splinter Review
Removing "&" from the 2-16 Branch
632 bytes, patch
kiko
: review+
justdave
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 I sent the following message to the webmaster@mozilla.org. Hi webmaster, Time: 2003-10-28 CET (central european time, berlin) around 13:30 ~ 13:36 I was using bugzilla.mozilla.org to change my login email to another one, I entered the new email in the bugzilla system, got mail in both old and new email address and ask me to confirm the change in new email address, click on the confirm link (http://bugzilla.mozilla.org/token.cgi?a=cfmem&t=&fC5CG$9), I was asked to enter the old mail address again, entered and hit submit, then I got the following error. Please can you check the system. Sheng. Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@mozilla.org and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Apache/1.3.27 Server at bugzilla.mozilla.org Port 80 Reproducible: Always Steps to Reproduce: 1. 2. 3.
[Tue Oct 28 04:29:35 2003] token.cgi: Use of uninitialized value in concatenation (.) or string at /opt/webtools/bugzilla/token.cgi line 221. [Tue Oct 28 04:29:35 2003] token.cgi: DBD::mysql::st execute failed: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 at globals.pl line 279.[Tue Oct 28 04:29:35 2003] [error] [client 158.140.2.102] malformed header from script. Bad header=<pre>SELECT userid, eventdata : /opt/webtools/bugzilla/token.cgi [Tue Oct 28 04:29:35 2003] token.cgi: SELECT userid, eventdata FROM tokens [Tue Oct 28 04:29:35 2003] token.cgi: WHERE token = : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 at globals.pl line 284. Tue Oct 28 04:29:48 2003] token.cgi: Use of uninitialized value in concatenation (.) or string at /opt/webtools/bugzilla/token.cgi line 221.[Tue Oct 28 04:29:48 2003] token.cgi: DBD::mysql::st execute failed: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 at globals.pl line 279.[Tue Oct 28 04:29:48 2003] [error] [client 158.140.2.102] malformed header from script. Bad header=<pre>SELECT userid, eventdata : /opt/webtools/bugzilla/token.cgi[Tue Oct 28 04:29:48 2003] token.cgi: SELECT userid, eventdata FROM tokens [Tue Oct 28 04:29:48 2003] token.cgi: WHERE token = : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 at globals.pl line 284.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 2.17.1
notice the token contains an '&' which is not URI-encoded I converted that to %26 and resubmitted http://bugzilla.mozilla.org/token.cgi?a=cfmem&t=%26fC5CG$9 and it took it. (you'll notice your address changed).
OS: Windows 2000 → All
Hardware: PC → All
This was previously fixed in Bugzilla 2.14 (pre-templatization - see bug 95535) and has regressed. Looking at the template which generates this (account/email/change-new.txt.tmpl) the line is: [% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER url_quote %] Which on its face appears to be doing the right thing. This means our url_quote filter is probably broken. I don't see where, looking at the code. My guess is we aren't using the filter API properly on our pass-through to Bugzilla::Util::url_quote If this affects 2.16 I want the fix for 2.16.4
Severity: normal → major
Keywords: regression
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
The issue is that %26 gets converted back to "&" in URLs by some email clients. The reasonable thing to do is to disable & from tokens. (notice that the $ char in the example above had to be escaped as well, but David submitted the token by escaping only the & char, and it worked, so $ and other chars aren't causing much trouble).
Assignee: myk → jocuri
Status: NEW → ASSIGNED
Attached patch Against HEADSplinter Review
Attachment #134341 - Flags: review?(kiko)
Attachment #134342 - Flags: review?(kiko)
Oh, forgot about this: <vladd> justdave_: I did [% token = "&fC5CG$9" %] and then [% token FILTER url_quote %] in a template and it showed a string starting with %26 ... <vladd> The really cool solution is to disable & in tokens. <vladd> (really, the original problem is that some email clients convert back %26 to &, otherwise I really can't explain that, unless the memory of b.m.o got corrupted :) )
Attachment #134342 - Flags: review?(myk)
Attachment #134341 - Flags: review?(myk)
The alternative would be to allow only [a-zA-Z0-9] or something similar; it doesn't restrict with much the number of available combinations for tokens, and we're safe on the encoding side, but it's pretty extreme.
Comment on attachment 134341 [details] [diff] [review] Against HEAD r=myk
Attachment #134341 - Flags: review?(myk) → review+
Comment on attachment 134342 [details] [diff] [review] Against 2-16-branch r=myk
Attachment #134342 - Flags: review?(myk) → review+
Comment on attachment 134341 [details] [diff] [review] Against HEAD And nicely wrapped, too :-)
Attachment #134341 - Attachment description: Againest HEAD → Against HEAD
Attachment #134341 - Flags: review?(kiko)
Attachment #134342 - Attachment description: Againest 2-16-branch → Against 2-16-branch
Attachment #134342 - Flags: review?(kiko)
Flags: approval?
Flags: approval? → approval+
Whiteboard: [ready for 2.16.4] [ready for 2.17.5]
Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.169.2.17; previous revision: 1.169.2.16 done Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.249; previous revision: 1.248 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.4] [ready for 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
Forgot to remove the "&" in the 2-16 patch. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #134488 - Flags: review?(kiko)
Comment on attachment 134488 [details] [diff] [review] Removing "&" from the 2-16 Branch this is not my day
Attachment #134488 - Flags: review?(kiko) → review+
Comment on attachment 134488 [details] [diff] [review] Removing "&" from the 2-16 Branch r= + a=
Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.169.2.18; previous revision: 1.169.2.17 done
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: