New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escaping username/roles parameters to allow usernames/roles with special characters. #3570

Merged
merged 4 commits into from Mar 7, 2017

Conversation

Projects
None yet
2 participants
@dennisoelkers
Member

dennisoelkers commented Mar 6, 2017

Description

Motivation and Context

Before this change it was possible to create user/role names containing one or more slashes or other special characters, but it was not possible to delete them afterwards from the web interface.

After this change, the user/role name used to construct the URL to the backend is escaped properly, so deletions suceed even if the user/role name contains one or more special characters.

Fixes #3569. Should also be merged into 2.2.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@dennisoelkers dennisoelkers added this to the 2.3.0 milestone Mar 6, 2017

@dennisoelkers dennisoelkers changed the title from Escaping username component to allow usernames with slash. to Escaping username/roles parameters to allow usernames/roles with special characters. Mar 6, 2017

@joschi

Basically a question of style, but shouldn't the call to encodeURIComponent be added to the routes in Routes.jsx instead to every occurrence in other source locations?
That way it can't be forgotten by other authors.

@joschi joschi self-assigned this Mar 6, 2017

@dennisoelkers

This comment has been minimized.

Member

dennisoelkers commented Mar 7, 2017

I totally understand your question and had the same idea at first. Unfortunately we cannot do it that way, because we also use those routes to generate the route map for our application and reuse the parameters with placeholders (:username etc.) to generate dynamic routes for react-router. So fixing it this way was the least intrusive way for now. I would like to spend some time to think about how to refactor it properly though, but this would be a bit beyond the scope of this PR. Thanks for the input!

@joschi

There still seem to be some places missing.

For example I'm unable to log in with a user named "foo/bar".

The Chrome Console shows the following error message:

There was an error fetching a resource: cannot GET http://127.0.0.1:9000/api/users/foo/bar (404). Additional information: HTTP 404 Not Found

Unhandled rejection Error: cannot GET http://127.0.0.1:9000/api/users/foo/bar (404)

dennisoelkers added some commits Mar 6, 2017

@dennisoelkers dennisoelkers force-pushed the issue-3569 branch from ce490be to b1ad52a Mar 7, 2017

@dennisoelkers

This comment has been minimized.

Member

dennisoelkers commented Mar 7, 2017

, also rebased to current master.

@joschi

joschi approved these changes Mar 7, 2017

LGTM. 👍

@joschi joschi merged commit 34446c2 into master Mar 7, 2017

3 of 4 checks passed

continuous-integration/travis-ci/push The Travis CI build is in progress
Details
ci-web-linter Jenkins build graylog-pr-linter-check 1407 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
licence/cla Contributor License Agreement is signed.
Details

@joschi joschi deleted the issue-3569 branch Mar 7, 2017

@joschi joschi removed the ready-for-review label Mar 7, 2017

dennisoelkers added a commit that referenced this pull request Mar 7, 2017

Properly escape username/roles in web interface (#3570)
* Escaping username component to allow usernames with slash.
* Allowing to handle deletion/updates of roles with special characters.
* Allowing editing/updating/deleting users with special characters in name
* Using proper route methods, escaping username in CurrentUserStore.

Fixes #3569

(cherry picked from commit 34446c2)

joschi added a commit that referenced this pull request Mar 7, 2017

Properly escape username/roles in web interface (#3588)
* Escaping username component to allow usernames with slash.
* Allowing to handle deletion/updates of roles with special characters.
* Allowing editing/updating/deleting users with special characters in name
* Using proper route methods, escaping username in CurrentUserStore.

Fixes #3569

(cherry picked from commit 34446c2 / PR #3570)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment