I have a C/CGI application. In order to redirect to the same page
const char * redirect_page_format =
"<html>\n"
"<head>\n"
"<meta http-equiv=\"REFRESH\"\n"
"content=\"0;url=%s\">\n"
"</head>\n"
"</html>\n";
printf (redirect_page_format, getenv (URL));
Before this the url is like this "http://ipaddress/page.html".
For some pages, I am able to redirect correctly.
But some html pages,
The url is either appended with a character like this "http://ipaddress/page.htmlP"
Or the url is changed like one of the following:
http://ipaddress/page.htm
http://ipaddress/page.hX
Edit 1
I will send the url through query string. It will be got using the command.
getenv("QUERY_STRING")
By parsing the query string, url can be got and it is given as an argument to redirect command.
printf (redirect_page_format, getenv (URL));
I can't see anything that would cause that in the above code. Sounds like some wayward pointer writing somewhere else in the script might have written data to corrupt the end of the variable string?
What is getenv(URL) anyway? There isn't a standard CGI environment variable that gives you the current URL; you usually have to tiresomely piece it together from REQUEST_METHOD/HTTP_HOST/SERVER_PORT/SCRIPT_NAME/PATH_INFO/QUERY_STRING. On Apache you do get REQUEST_URI but it won't work on other servers.
Whilst it wouldn't usually cause the problem you quote, there is an issue with printfing text into an HTML context like you have above: you don't have any HTML-escaping, so any &, " or < characters in the URL will cause invalid output. Every time you add text or attribute value content from a string you must HTML-escape it, or you risk a cross-site-scripting security hole. (" and < are unlikely to exist in a URL but can get there depending on how you're handling SCRIPT_NAME/PATH_INFO. & is very likely to appear in the URL.)
Finally, <meta refresh> for redirect is highly undesirable. Why not a proper Location-based redirect?
Related
My react app seems to be automatically decoding %25 to a %, however I need it to stay as %25.
Let's say I have a route that looks like the below. The route has a param which is a string containing an encoded url.
https://mywebsite.com/{encoded_url_string}
As an example, let's say the unencoded url string is:
https://urlparam.com/public/?test=c%3Dvalue
Which, encoded, would become
https%3A%2F%2Furlparam.com%2Fpublic%2F%3Ftest%3Dc%253Dvalue
So the full route would look like this:
https://mywebsite.com/https%3A%2F%2Furlparam.com%2Fpublic%2F%3Ftest%3Dc%253Dvalue
My issue is that when I grab this param (using the query-string library) from the URL, and try to write it to my page, instead of literally being:
https%3A%2F%2Furlparam.com%2Fpublic%2F%3Ftest%3Dc%253Dvalue
Which is exactly as it is in the URL param, I'm getting:
https%3A%2F%2Furlparam.com%2Fpublic%2F%3Ftest%3Dc%3Dvalue
Notice that the last bit in the first one is "test%3Dc %25 3Dvalue" (ignore the spaces, StackOverflow won't let me bold without it), while the second one is just test%3Dc%3Dvalue (missing the %25)
Any ideas why the %25 is being decoded to a simple %? Any way to prevent that?
In my angular application, I need to make GET call to a Tomcat server. This GET call requires query parameters which could contain special characters too like "+", "/", "/+"
GET call is being made from angular controller using $window.open with target as "_blank"
Currently the redirection is getting failed without any encoding.
So, I added encoding in .js file before the GET call is being made by using encodeURIComponent.
Then I added decoding logic using URLDecode.decode in backend java code to decode query parameters.
But still it doesn't work.
It works only if I encode query parameters twice within the .js file using encodeURIComponent twice.
I am trying to find the root cause for double encoding but no luck yet. I would greatly appreciate if anyone could share any inputs.
Made it work by adding a * in path parameter in app.js. Adding a star means that the request will include multiple path parameters separated by /, and so angular will not try to encode / in the request.
Double encoding could also work but then the server side logic has to be modified to decode the request parameters twice and replace %2B2F by %2F
I am building in invite/registration form for my site. The idea is that one user invites another user, which sends a code with a url to register with. The problem is that the code can have an encoded backslash in it. When that encoded backslash is processed in Angular, it seems to get decoded and ends up busting the routing.
http://localhost:54464/ang/register/owi0%2fCQCrjzBcwqEORVVHhrICIANGKxtxMJ2Kh91y%2bNhhB%2br06appZzEVPhpkP2C
becomes:
http://localhost:54464/ang/register/owi0/CQCrjzBcwqEORVVHhrICIANGKxtxMJ2Kh91y+NhhB+r06appZzEVPhpkP2C
How can I stop this behavior?
Try using a route like:
/register/*code
The code will contain the string with the slashes
source
It is typically used for path-like url arguments...but I don't see why this wouldn't work for your case.
I am sending a signup activation email containing a signup confirmation url with a confirmation token that points to an angular front end app:
...
Activate
...
Note that the token is a JWT and is fairly long.
This works find for most users, but for some clicking on the link takes them to https://domain/com only without the confirm-signup?token=...
It seems as though the mail client may be stripping off everything after the #, but I can't find any evidence of others having this problem, nor can I reproduce it.
My best guess so far is that some mail clients are seeing the # and somehow treating the trailing part as an internal anchor and stripping it...?
Has anyone else encountered this sort of problem? If so, have you found any solution short of replacing the whole mechanism with something else?
Some clients treat the hash-link just fine. Others don't. There's a conversation about Outlook being dirty about this here: Outlook strips URL hash from email
What we did to resolve this at our company is simply create a handler on our server that redirects. Your email link would become http://domain.com/email-link?url=https%3A%2F%2Fdomain.com%2F%23%2Fconfirm-signup%3Ftoken%3D1234 and your server side script would grab the query param url and immediately trigger a redirect.
You'd need to make sure that you find all links in your emails and replace them. Here's a PHP function for that, but you could do this in whatever backend language you're using. Regex here may be helpful at least.
function replaceLinks($html,$hash) {
return preg_replace_callback('/<a [^>]*href=[\"\']{1}(.+?)[\"\\\']{1}/', function($matches) use ($hash) {
return str_replace($matches[1],"http://domain.com/email-link?url=".rawurlencode($matches[1]),$matches[0]);
}, $html);
}
Yes I have encountered this issue before because of the #, I was trying to link to a anchor on a landingpage.. My solution ended up using a short.url service to "hide" the # from the html e.g. https://goo.gl/
Looks like you need percent encoding!
A lot of times when your href gets parsed (by angular in this case) it doesn't handle the special characters right, or strips them. Find your problem characters and replace them with %3F for ?, %26 for &, and %23 for #. The rest are in a chart in the link.
Once the encoded address hits the browser the url will be decoded in your url bar.
I'm running an app with Sinatra/backbone.
Let's say I visit the page http://localhost:3000/cases/1/read?name=Some%20Guy that is using the name parameter to display data on the page.
Does this present an XSS issue?
I'm just trying to send data from one page to another through a button click with the param data.
A quick test is to try the URL
http://localhost:3000/cases/1/read?name=<script>alert('foo');</script>
If the script executes and an alert popup appears, then XSS is definitely possible.
Other XSS patterns are possible too depending on where the name value is output.
You should output encode to prevent this type of attack. The encoding to use depends on the language context of your output (if is it JavaScript, HTML, or CSS, etc). e.g. " becomes " in HTML, but \x22 in JavaScript and JSON. The correct encoding prevents an attacker being able to escape out of the context and inject their own scripts. You should also set the charset to UTF-8 to prevent some UTF-7 filter evasion attacks.
Not necessary. All dependence on which way data shows to user. If you keep in mind, that data can be wrong and for example escape string before output - it will be ok.