[pve-devel] [PATCH common] fix #5486: tools: encode_text: add '%' to list of encoded characters

[pve-devel] [PATCH common] fix #5486: tools: encode_text: add '%' to list of encoded characters

[Dominik Csapak]

all text that is going through encode_text will at a later point be
decoded by 'decode_text'. The latter is decoding all percent encoded
characters, even those not originally encoded by 'encode_text'.

This means, to preserve the original data, we first have to at least
percent encode the '%' itself, otherwise it's impossible to properly
store e.g. '%20' there.

It would get saved as '%20' directly, but on the next read, it gets
decoded to ' ', which is not the original data. instead we have to save
it as '%2520', which gets then correctly decoded to '%20' again

This is especially important for the vm/ct/node description, as there
users can store external links, which already include percent encoded
characters.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
AFAICS, we only use this for comment fields + first/lastname in
access-control, so we should be ok here
 src/PVE/Tools.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index 766c809..59cc5c9 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -1246,8 +1246,8 @@ sub upid_normalize_status_type {
 sub encode_text {
     my ($text) = @_;
 
-    # all control and hi-bit characters, and ':'
-    my $unsafe = "^\x20-\x39\x3b-\x7e";
+    # all control and hi-bit characters, ':' and '%'
+    my $unsafe = "^\x20-\x24\x26-\x39\x3b-\x7e";
     return uri_escape(Encode::encode("utf8", $text), $unsafe);
 }
 
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH common] fix #5486: tools: encode_text: add '%' to list of encoded characters

[Fabian Grünbichler]

Quoting Dominik Csapak (2024-05-28 13:10:02)
> all text that is going through encode_text will at a later point be
> decoded by 'decode_text'. The latter is decoding all percent encoded
> characters, even those not originally encoded by 'encode_text'.
> 
> This means, to preserve the original data, we first have to at least
> percent encode the '%' itself, otherwise it's impossible to properly
> store e.g. '%20' there.
> 
> It would get saved as '%20' directly, but on the next read, it gets
> decoded to ' ', which is not the original data. instead we have to save
> it as '%2520', which gets then correctly decoded to '%20' again
> 
> This is especially important for the vm/ct/node description, as there
> users can store external links, which already include percent encoded
> characters.
> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> AFAICS, we only use this for comment fields + first/lastname in
> access-control, so we should be ok here

and also for the worker ID for download-from-url workers, which should be fine
as well.

>  src/PVE/Tools.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
> index 766c809..59cc5c9 100644
> --- a/src/PVE/Tools.pm
> +++ b/src/PVE/Tools.pm
> @@ -1246,8 +1246,8 @@ sub upid_normalize_status_type {
>  sub encode_text {
>      my ($text) = @_;
>  
> -    # all control and hi-bit characters, and ':'
> -    my $unsafe = "^\x20-\x39\x3b-\x7e";
> +    # all control and hi-bit characters, ':' and '%'
> +    my $unsafe = "^\x20-\x24\x26-\x39\x3b-\x7e";
>      return uri_escape(Encode::encode("utf8", $text), $unsafe);
>  }
>  
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel