You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The URL modification by mod_rewrite, which transforms loris.ca/foo/bar into loris.ca?lorispath=foo/bar, seems to leak into $_SERVER and consequently into the PSR7 $request object on Apache server. This means that lorispath is accessible in getQueryParams() and more importantly that $request->getUri()->__toString() is not usable to get the current request URL.
To Reproduce
Have a setup with Apache server
Inspect the PSR7 $request object.
We reproduced this behaviour on both my's and @ridz1208's machines.
Thoughts
I am not sure yet what are the possible fixes to this unintended behaviour. Either way, here are the potential solutions I could think of:
Change the Apache/PHP configuration to prevent the rewritten URL from leaking.
Manually create the $request object to use the original request URL.
Do not rewrite the URL (if possible).
Ignore the leak (the original URL is still accessible in $_SERVER['REQUEST_URI']).
The text was updated successfully, but these errors were encountered:
MaximeMulder
added
the
Bug
PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label)
label
Feb 12, 2024
I looked over this with @ridz1208 and it seems like the path and query params are correct in the PSR7 object, it's just that it also has the lorispath query parameter (which was added by mod_rewrite) set.
I think the solution is just to modify (or rather create a new, since they're immutable) request object right after its created in index.php (around here: https://github.com/aces/Loris/blob/main/htdocs/index.php#L42) to remove the lorispath query parameter before passing it along to the LORIS router.
Describe the bug
The URL modification by
mod_rewrite
, which transformsloris.ca/foo/bar
intoloris.ca?lorispath=foo/bar
, seems to leak into$_SERVER
and consequently into the PSR7$request
object on Apache server. This means thatlorispath
is accessible ingetQueryParams()
and more importantly that$request->getUri()->__toString()
is not usable to get the current request URL.To Reproduce
$request
object.We reproduced this behaviour on both my's and @ridz1208's machines.
Thoughts
I am not sure yet what are the possible fixes to this unintended behaviour. Either way, here are the potential solutions I could think of:
$request
object to use the original request URL.$_SERVER['REQUEST_URI']
).The text was updated successfully, but these errors were encountered: