WebDAV: bad URL quoting in "PropFind"
Bug #143471 reported by
Dieter Maurer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Medium
|
Unassigned |
Bug Description
"webdav.
URLs.
"safe_quote" quotes iff the URL does not yet contain '%'.
This fails to quote the URL correctly in cases like this:
PROPFIND /a%20b/
when the collection "a b" contains an element whose
id needs quoting, e.g. "my id".
The recursive call to "apply" gets "/a%20b/my id" as "url"
parameter in this case and "safe_quote" does not change it.
The fix quotes the id when the "url" is constructed for
the recursive "apply" call.
Changed in zope2: | |
status: | New → Confirmed |
To post a comment you must log in.
failing to see a fix in this report (though perhaps it's just me), this works for me:
in lib/python/ webdav/ davcmds. py, line 164:
replace: path.join( url, absattr(ob.id)) path.join( url, quote(absattr( ob.id)) )
uri=os.
with
uri=os.
this is a one-word fix for a rather serious piece of breakage -- please consider applying it.
also, a session transcript which may help to illustrate the issue:
[snip]
HTTP/1.1 207 Multi-Status^M
Server: Zope/(Zope 2.7.5-final, python 2.3.5, linux2) ZServer/1.1^M
[...]
<d:response> /data/untitled% 20folder/ </d:href>
<d:href>
<d:propstat>
<d:prop>
[...]
<n:resourcetype xmlns:n= "DAV:"> <n:collection/ ></n:resourcety pe> HTTP/1. 1 200 OK</d:status>
</d:prop>
<d:status>
[...]
</d:response> /data/untitled% 20folder/ untitled folder/</d:href>
* ******* ***
<d:response>
<d:href>
<d:propstat>
[snip]