[Seaside] Swazoo bugs that can affect Seaside

Philippe Marschall philippe.marschall at gmail.com
Sat Aug 6 18:59:47 UTC 2011


2011/8/3 Dale Henrichs <dhenrich at vmware.com>:
> In the last week or so, I've run into a couple of bugs in Swazoo that may be of interest to any Seasiders using Swazoo in their applications. I've got workarounds for GLASS if anyone is interested.
>
> The first bug is in SwazooURI where the query fields in an URL will be incorrectly parsed if an `&` or other special character is embedded in the value of the field. The following example illustrates the bug:
>
>  | url ans1 ans2 |
>  url := 'www.foo.com/index.html?foo=1&bar=', 'bar"sample method"^#($&)' encodeForHTTP
>  ans1 := SwazooURI fromString: url.
>
>  ans2 := SwazooURI new.
>  ans2 fromStream: url readStream.
>
>  ans1 printString = ans2 printString
>
> SwazooURI>>fromString: (called by SwazooURI class>>fromString:) prematurely decodes the input string exposing the `&` and causes the parser to think that there is an additional query field in the input url and results in the truncation of the value of the `bar` field. The fix is to remove the call to HTTPString class>>decodedHTTPFrom: from SwazooURI>>fromString: ... the subsequent parsing of the queryfields already call HTTPString class>>decodedHTTPFrom:
>
> This bug is present in Swazoo-2.3beta2.6

Nice catch. I attached a test for this.

Cheers
Philippe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SwazooURITest-testFromString.st
Type: application/octet-stream
Size: 392 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20110806/2eeb0da6/SwazooURITest-testFromString.obj


More information about the seaside mailing list