Librarian token checker doesn't cope with different path encodings
Bug #690634 reported by
William Grant
This bug report is a duplicate of:
Bug #677270: restricted librarian urls give a 404 if normalised (e.g. by apache, chromium, often shows up on private PPA build logs).
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
High
|
Unassigned |
Bug Description
The librarian TimeLimitedToken matcher compares encoded paths, not the actual (decoded) paths.
This causes problems for filenames containing '~', since LP sends it encoded but browsers like to play with decoding it. For example, Chromium will not send a URL containing '%7E' -- it will decode it to '~' and transmit that. Firefox will display '~' in the address bar but still send '%7E', so the link will work once but not when copied. Other characters may be affected, but common ones like '+' are preserved as '%2B'.
Is there a good reason we don't store the decoded path in the token, and check against that?
To post a comment you must log in.
I suspect that there is no good reason, though I don't know the new code.