Closed 46Wil closed 8 years ago
The github bug report system seems to have stripped out the character in question. It only shows the backslash character ( \ \ Reverse solidus (backslash).
Can you describe the character, perhaps referring to the code number from: http://www.december.com/html/spec/codes.html or http://www.ebyte.it/library/educards/html/HTMLEntitiesAndGlyphs.html
meekrodb in TeamPass is several commits behind that project. There are several changes worth merging to the customized version of db.class.php in teampass, like https://github.com/SergeyTsalkov/meekrodb/commit/da46a1eacc683b34fcbba069c1f25f6930fbb9c9
Some deal with string encoding and decoding, and may correctly store protected characters, fixing bugs like this. Unit tests would need to confirm that no existing passwords are ever returned incorrectly.
The error logging hacks inserted into db.class.php could be moved into a parent wrapper function, so that meekrodb can stay updated.
That is correct, it is the backslash, "\ \ Reverse solidus (backslash)", but it only has issues on the Label. It doesn't have issues in the password or in the username.
Putting aaaa\aaaa
into the label field stores this in the database: aaaa\aaaa
- however bbbb\bbbb in the description field stores bbbb\bbbb
in the database.
Replacing the database label with one encoded like the description fixes everywhere except when editing the label, which shows semi-sanitized output - it removes amp; but not the #92;
The problem is caused by inconsistent encoding and decoding, specifically double-sanitizing html entities. Example is line 387 in sources/items.queries.php:
$label = noHTML(htmlspecialchars_decode($dataReceived['label']));
It calls a teampass function noHTML in main.functions, that does:
return htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, $encoding);
The doctype should be ENT_XHTML, and the fourth parameter double_encode should be set to false, for starters. Elsewhere reversing the encoding is done inconsistently.
I'll see if i can work up a fix that will be compatible with any previously stored labels (or at least not make them worse).
A backslash in the URL field is even more misbehaved, giving a User not allowed to access this folder! error on creation or a _ERR_JSONFORMAT ERROR (JSON is broken)!!!!! on edit.
The doctype should be ENT_XHTML, and the fourth parameter double_encode should be set to false, for starters. Elsewhere reversing the encoding is done inconsistently.
Yes absolutely, thank you for this tip.
I really appreciate all the help you provide on this project.