Zope-Bug affecting my url_quoting (bug in getattr?)
Hi all, I just detected a serious bug: (in short: to my mind getattr() behaves wrong) http://freegis.org/details.en.html?name=Geoprocessamento%3a%20Teoria%20e%20A... was produced using <dtml-var name urlquote>. (for those who don't have a browser at hand: the attribute is converted back to Geoprocessamento: Teoria e Aplicaçdetails.en.html5es which is obviously wrong) Manually using capital letters for the url quoting will work (ie. here just '%F5es' at the end of the above URL. Apparantly the %f is substituted by someone by the filename (getattr already delivers this error). Here is the code of details.en.html: --------- <dtml-var standard_html_header> <dtml-call "unquote()"> <dtml-if "_.hasattr(REQUEST, 'name')"> <dtml-var entry_detailed> <dtml-else> Error: there was no name given. </dtml-if> <dtml-var standard_html_footer> --------- And here is unquote() [a python extension]: --------- from urllib import * def unquote_name(self): request = getattr(self, 'REQUEST') if hasattr(request, 'name'): name = getattr(request, 'name') # name already now contains the "%f" substituted by # "details.en.html"!!! request.set('name', unquote(name)) return '' --------- And here is the beginning of entry_detailed: --------- <dtml-with REQUEST> <h2>FreeGIS-summary on <dtml-var name></h2> [...] --------- -- Jan-Oliver Wagner http://intevation.de/~jan/ Intevation GmbH http://intevation.de/ FreeGIS http://freegis.org/
Your report as some strange elements in it. See below.... Jan-Oliver Wagner writes:
I just detected a serious bug: (in short: to my mind getattr() behaves wrong)
http://freegis.org/details.en.html?name=Geoprocessamento%3a%20Teoria%20e%20A...
was produced using <dtml-var name urlquote>. You should use "url_quote_plus".
Space (i.e. %20) is not allowed as part of the query string. It must be coded as '+'. Some browsers are serious about this restriction (e.g. IE 5.5).
(for those who don't have a browser at hand: the attribute is converted back to Geoprocessamento: Teoria e Aplicaçdetails.en.html5es which is obviously wrong) I used my browser (and Zope 2.3.3). It was converted to
Geoprocessamento: Teoria e Aplicações Precisely, what one would expect....
Manually using capital letters for the url quoting will work (ie. here just '%F5es' at the end of the above URL.
Apparantly the %f is substituted by someone by the filename (getattr already delivers this error). .... def unquote_name(self): request = getattr(self, 'REQUEST') if hasattr(request, 'name'): name = getattr(request, 'name') # name already now contains the "%f" substituted by # "details.en.html"!!! request.set('name', unquote(name)) return '' I am sure, "getattr" returns the value that is in "REQUEST" without substituting "%f" -- it did when I tried to reproduce your problem! Maybe, you display "REQUEST" before mangling:
<dtml-var REQUEST> <dtml-var unquote> <dtml-var REQUEST> Why do you want to unquote anyway? Zope already did it for you! Dangerous to do it a second time! Maybe, you want to read URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html for details, how Zope processes parameters. Dieter
Hi Dieter, all,
Manually using capital letters for the url quoting will work (ie. here just '%F5es' at the end of the above URL.
Apparantly the %f is substituted by someone by the filename (getattr already delivers this error).
On Tue, Aug 07, 2001 at 10:43:51PM +0200, Dieter Maurer wrote:
I am sure, "getattr" returns the value that is in "REQUEST" without substituting "%f" -- it did when I tried to reproduce your problem! Maybe, you display "REQUEST" before mangling:
<dtml-var REQUEST> <dtml-var unquote> <dtml-var REQUEST>
I found the problem, finally. Even a document as simple as <dtml-var REQUEST> showed the strange substitution and I thought it must happen somewhere very deep. It was very deep - actually the error is caused still before Zope reveives the URL: In my web-server. So this is for the archive: If you are using Caudium (as I do) or Roxen Challenger the redirect patterns are buggy. %f is substituted silently there. A bug-report is submitted to Caudium, the Roxen people require registration for bug reports, so they will not receive one.
Why do you want to unquote anyway? Zope already did it for you! Dangerous to do it a second time!
Does it? http://freegis.org/quote_test?my_var=%f5 shows no unquote in the REQUEST. Jan -- Jan-Oliver Wagner http://intevation.de/~jan/ Intevation GmbH http://intevation.de/ FreeGIS http://freegis.org/
I cannot reproduce this here, using exactly the setup you describe (external method and all), with Zope 2.3.3. Maybe something in standard_html_headers is already parsing incorrectly REQUEST ? Or are you using any non-standard products that would be active before page rendering ? Try a <dtml-var REQUEST> in standard_html_header just after <body>, and also at any interesting point in your files. Regards, Florent Guillaume Nuxeo
http://freegis.org/details.en.html?name=Geoprocessamento%3a%20Teoria%20e%20A...
was produced using <dtml-var name urlquote>.
(for those who don't have a browser at hand: the attribute is converted back to Geoprocessamento: Teoria e Aplica�details.en.html5es which is obviously wrong)
participants (3)
-
Dieter Maurer -
Florent Guillaume -
Jan-Oliver Wagner