Fixed issue #10474: Some characters not accepted for "save & resume l…

…ater" passwords in links sent by email
LimeSurvey · Apr 4, 2016 · a4a6a86 · a4a6a86
1 parent bf596cf
commit a4a6a86
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/application/controllers/admin/dataentry.php b/application/controllers/admin/dataentry.php
@@ -1829,11 +1829,10 @@ public function insert()
                                     $message .= gT("Name").": ".$saver['identifier']."\n";
                                     $message .= gT("Password").": ".$saver['password']."\n\n";
                                     $message .= gT("Reload your survey by clicking on the following link (or pasting it into your browser):")."\n";
-                                    $message .= Yii::app()->getController()->createAbsoluteUrl("/survey/index/sid/{$iSurveyID}/loadall/reload/scid/{$scid}/loadname/".rawurlencode ($saver['identifier'])."/loadpass/".rawurlencode ($saver['password'])."/lang/".rawurlencode($saver['language']));
-                                    if (isset($tokendata['token'])) { $message .= "/token/".rawurlencode($tokendata['token']); }
-
+                                    $aParams=array('lang'=>$saver['language'],'loadname'=>$saver['identifier'],'loadpass'=>$saver['password']);
+                                    if (isset($tokendata['token'])) { $aParams['token']= $tokendata['token']; }
+                                    $message .= Yii::app()->getController()->createAbsoluteUrl("/survey/index/sid/{$iSurveyID}/loadall/reload/scid/{$scid}/",$aParams);
                                     $from = $thissurvey['adminemail'];
-
                                     if (SendEmailMessage($message, $subject, $saver['email'], $from, $sitename, false, getBounceEmail($surveyid)))
                                     {
                                         $emailsent="Y";

diff --git a/application/helpers/frontend_helper.php b/application/helpers/frontend_helper.php
@@ -613,7 +613,7 @@ function sendSubmitNotifications($surveyid)
     // TODO: What is holdpass, and is it OK to skip these lines if it is set? Related to 'Resume later' functionality
     if ($thissurvey['allowsave'] == "Y" && isset($_SESSION['survey_'.$surveyid]['scid']) && isset($_SESSION['survey_'.$surveyid]['holdpass']))
     {
-        $aReplacementVars['RELOADURL']="".Yii::app()->getController()->createUrl("/survey/index/sid/{$surveyid}/loadall/reload/scid/".$_SESSION['survey_'.$surveyid]['scid']."/loadname/".urlencode($_SESSION['survey_'.$surveyid]['holdname'])."/loadpass/".urlencode($_SESSION['survey_'.$surveyid]['holdpass'])."/lang/".urlencode(App()->language));
+        $aReplacementVars['RELOADURL']=Yii::app()->getController()->createUrl("/survey/index/sid/{$surveyid}/loadall/reload/scid/".$_SESSION['survey_'.$surveyid]['scid']."/lang/".urlencode(App()->language),array('loadname'=>$_SESSION['survey_'.$surveyid]['holdname'],'loadpass'=>$_SESSION['survey_'.$surveyid]['holdpass']));
         if ($bIsHTML)
         {
             $aReplacementVars['RELOADURL']="<a href='{$aReplacementVars['RELOADURL']}'>{$aReplacementVars['RELOADURL']}</a>";

diff --git a/application/libraries/Save.php b/application/libraries/Save.php
@@ -136,7 +136,14 @@ function savedcontrol()
         }
 
         $duplicate = SavedControl::model()->findByAttributes(array('sid' => $surveyid, 'identifier' => $_POST['savename']));
-        if (!empty($duplicate) && $duplicate->count() > 0)  // OK - AR count
+        $duplicate = SavedControl::model()->findByAttributes(array('sid' => $surveyid, 'identifier' => $_POST['savename']));
+        if (strpos($_POST['savename'],'/'!==false || strpos($_POST['savepass'],'/'!==false)) || strpos($_POST['savename'],'&'!==false || strpos($_POST['savepass'],'&'!==false))
+            || strpos($_POST['savename'],'\\'!==false || strpos($_POST['savepass'],'\\'!==false)))
+        {
+            $errormsg .= gT("You may not use slashes or ampersands in your name or password.")."<br />\n";
+            return;
+        }
+        elseif (!empty($duplicate) && $duplicate->count() > 0)  // OK - AR count
         {
             $errormsg .= gT("This name has already been used for this survey. You must use a unique save name.")."<br />\n";
             return;
@@ -206,8 +213,12 @@ function savedcontrol()
                 $message .= gT("Name").": ".$_POST['savename']."\n";
                 $message .= gT("Password").": ".$_POST['savepass']."\n\n";
                 $message .= gT("Reload your survey by clicking on the following link (or pasting it into your browser):")."\n";
-                $message .= Yii::app()->getController()->createAbsoluteUrl("/survey/index/sid/{$surveyid}/loadall/reload/scid/{$scid}/loadname/".rawurlencode ($_POST['savename'])."/loadpass/".rawurlencode ($_POST['savepass'])."/lang/".rawurlencode (App()->language));
-                if ($clienttoken) $message .= "/token/{$clienttoken}";
+                $aParams=array('scid'=>$scid,'lang'=>App()->language,'loadname'=>$_POST['savename'],'loadpass'=>$_POST['savepass']);
+                if (!empty($clienttoken))
+                {
+                    $aParams['token'] = $clienttoken;
+                }
+                $message .= Yii::app()->getController()->createAbsoluteUrl("/survey/index/sid/{$surveyid}/loadall/reload",$aParams);
 
                 $from="{$thissurvey['adminname']} <{$thissurvey['adminemail']}>";
                 if (SendEmailMessage($message, $subject, $_POST['saveemail'], $from, $sitename, false, getBounceEmail($surveyid)))