Zope 2

WebDAV: bad URL quoting in "PropFind"

Bug #143471 reported by Dieter Maurer
2
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Medium
Unassigned

Bug Description

"webdav.davcmds.PropFind.apply" uses "safe_quote" to quote
URLs.
"safe_quote" quotes iff the URL does not yet contain '%'.

This fails to quote the URL correctly in cases like this:

   PROPFIND /a%20b/

   when the collection "a b" contains an element whose
   id needs quoting, e.g. "my id".

   The recursive call to "apply" gets "/a%20b/my id" as "url"
   parameter in this case and "safe_quote" does not change it.

The fix quotes the id when the "url" is constructed for
the recursive "apply" call.

Tags: bug zope
Revision history for this message
vincentk (vincent-kraeutler) wrote :

failing to see a fix in this report (though perhaps it's just me), this works for me:

in lib/python/webdav/davcmds.py, line 164:

replace:
uri=os.path.join(url, absattr(ob.id))
with
uri=os.path.join(url, quote(absattr(ob.id)))

this is a one-word fix for a rather serious piece of breakage -- please consider applying it.

also, a session transcript which may help to illustrate the issue:

[snip]

HTTP/1.1 207 Multi-Status^M
Server: Zope/(Zope 2.7.5-final, python 2.3.5, linux2) ZServer/1.1^M

[...]

<d:response>
<d:href>/data/untitled%20folder/</d:href>
<d:propstat>
  <d:prop>

[...]

<n:resourcetype xmlns:n="DAV:"><n:collection/></n:resourcetype>
  </d:prop>
  <d:status>HTTP/1.1 200 OK</d:status>

[...]

</d:response>
<d:response>
<d:href>/data/untitled%20folder/untitled folder/</d:href>
<d:propstat>
                                  ***********

[snip]

Hanno Schlichting (hannosch)
Changed in zope2:
status: New → Confirmed
Revision history for this message
DavidJB (davidjb) wrote :

Is this likely still to affect recent Zope2 versions (eg 2.13.x)? Separately, would an infinite loop/infinite recursion be a result of being affected by this issue?

Revision history for this message
Dieter Maurer (d.maurer) wrote :

> Is this likely still to affect recent Zope2 versions (eg 2.13.x)?

As apparently no serious work has been done on this issue, the bug is likely to affect also recent Zope 2 versions. You could check the code repository (--> "svn.zope.org") to verify.

> Separately, would an infinite loop/infinite recursion be a result of being affected by this issue?

No. The result is not an infinite loop but a wrongly quoted url (one that violates the url specification). A WebDAV client may or may not have problems with such urls. In addition, the problem is rather rare: it occurs only when the url needs quoting in at least two places.

Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.