-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default arg_separator.output to & not & #14782
Comments
@karlitschek can you answer @butonic's question? THX |
@butonic honestly I can´t recall the reason for this at the moment. |
close or fix? |
@LukasReschke opinion? |
This seems unrequired nowadays and like a legacy fragment. It should be safe to remove. Fixes #14782
Did some digging. From a security perspective changing this seems not to be a risk, however it might actually break some other stuff that relied on the non-default behaviour we added in here. But that seems unlikely to me. That said it is not really a good practice to have such non-default behaviour and I created a PR to kill it for master. But we certainly shouldn't backport it. PR is at #15232 |
ownCloud currently sets
arg_separator.output
to&
to force the separation of query parameters to work correctly when a url is rendered in an HTML page, see http://www.w3.org/QA/2005/04/php-sessionfound in https://github.com/owncloud/core/blob/master/lib/base.php#L495:
This setting influences how
http_build_query
behaves and might cause problems for libraries we use when they expect the default query parameter to be&
because they want to execute a curl request.acking my core repo gives various results:
of particular interest is https://github.com/owncloud/core/blob/master/apps/files_sharing/lib/external/storage.php#L224
It will do a curl request with the query, which will fail should we add another parameter.
We could either use our url generator here, or switch back to the default
&
and make sure our urls are encoded correctly when using PHPSESSID as a query param instead of a cookie.@LukasReschke any security related concerns? @karlitschek It seems this has been in the first commit, care to shed some light if this is still good practice today?
cc @dagan
The text was updated successfully, but these errors were encountered: