Seaside icon indicating copy to clipboard operation
Seaside copied to clipboard

Published 20 hours ago verified publisher icon SeasideSt

WAUrl>>#initializeFromString: error when query parameters include scheme

Open pdebruic opened this issue 4 years ago • 5 comments

When using Google OAuth2 they make you set absolute URLs as query parameters. e.g.

https://www.example.com/gmailOauth2Callback?state=743bXEqXLe5PucpZLW92&code=4/1wH1DIitgV-Ko-AezApV730SJ-Sx5M64ww5ttygg5QT5eJ3GGG3KB8yJgiH-V02XJx84_DNdpGfPpZKz0XzunNg&scope=https://www.googleapis.com/auth/gmail.compose%20https://www.googleapis.com/auth/gmail.metadata

GemStone's fastcgi uses just the $request_uri part:

/gmailOauth2Callback?state=743bXEqXLe5PucpZLW92&code=4/1wH1DIitgV-Ko-AezApV730SJ-Sx5M64ww5ttygg5QT5eJ3GGG3KB8yJgiH-V02XJx84_DNdpGfPpZKz0XzunNg&scope=https://www.googleapis.com/auth/gmail.compose%20https://www.googleapis.com/auth/gmail.metadata

of the initial URL. WAUrl>>#initializeFromString: parses the scheme part of those query parameters as the initial scheme for the whole URL and then signals a syntax error.

I'll submit a PR for a fix for this issue. But maybe it should be part of a fix for #551

pdebruic avatar Jul 14 '20 14:07 pdebruic

I think erroring is correct. I believe #initializeFromString: takes a percent encoded URL. If we check RFC-3986 3.4. Query

query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded   = "%" HEXDIG HEXDIG
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="

So I don't think ? should be allowed in the query.

marschall avatar Jul 16 '20 18:07 marschall

Maybe I misunderstand. I think the error I hit is that there isn't a scheme at the start the string being parsed in #initializeFromString: and so the scheme in the query part is detected as the scheme for the entire URL which messes up the indexes used to find the path and query etc...

FastCGI on GemStone looks at the $request_uri. Nginx defaults to passing the "URL without the scheme/domain/auth/port/" parameters as the $request_uri. I could change what GemStone is using to be the "full URL"

I agree a ? should be % encoded if included in the query. right? or not at all I guess.

pdebruic avatar Jul 16 '20 20:07 pdebruic

The first URL in the first message on this issue is the entire URL, not the query parameter of another URL. Sorry that was unclear.

pdebruic avatar Jul 16 '20 20:07 pdebruic

Also is there a reason we don't process the URL as a stream? I might mess around with that.

pdebruic avatar Jul 16 '20 20:07 pdebruic

I see, I misunderstood, we somehow need to know whether the URL starts with a scheme or not.

marschall avatar Jul 17 '20 08:07 marschall

@pdebruic I think this is now fixed in https://github.com/SeasideSt/Seaside/pull/1377 which was merged into release 3.5.4. Can you give it a try?

jbrichau avatar Sep 12 '23 11:09 jbrichau

I will close the issue as I tried the example you provided, but feel free to reopen when needed!

jbrichau avatar Sep 12 '23 12:09 jbrichau

Regarding:

So I don't think ? should be allowed in the query.

It might be worth knowing: the PetitParser grammar for the ‘URI’ rule from RFC 3986 that I gave in a comment on Zinc issue #100 accepts both http://host/?%3F and http://host/??. Per section 2.2 in the RFC, those two URIs are not equivalent as ? is a reserved character and “URIs that differ in the replacement of a reserved character with its corresponding percent-encoded octet are not equivalent”, there’s some further explanation in Zinc issue #97.

Rinzwind avatar Sep 12 '23 12:09 Rinzwind