Closed wohnlice closed 2 years ago
Would you check #1053 to verify that it resolves this issue?
I tested #1053 and it does resolve this issue.
wohnlice wrote at 2022-7-27 07:52 -0700:
I tested #1053 and it does resolve this issue.
Thank you for your bug report and your help to resolve it!
Fixed via #1053 and #1054.
BUG/PROBLEM REPORT (OR OTHER COMMON ISSUE)
What I did:
Originally reported here as I thought this was an issue with plone.app.drafts/plone.app.mosaic. https://github.com/plone/plone.app.drafts/issues/13
Create a Plone (5.2.8) site with plone.app.mosaic. Navigate to the add new News Item page e.g. "/Plone/++add++News Item". Toggle focus on a field to trigger the XHR @@z3cform_validate_field
What I expect to happen:
@@z3cform_validate_field returns with HTTP code 200
What actually happened:
@@z3cform_validate_field returns with HTTP code 500
What version of Python and Zope/Addons I am using:
Plone 5.2.8, plone.app.mosaic 2.2.3
The issue stems from this regex and the following function: https://github.com/zopefoundation/Zope/blame/4.8.1/src/ZPublisher/cookie.py#L254. The path_safe regex does not allow for valid characters like "-" and "+", possibly others. So what happens is this function is passed an already quoted path value that has one or more of "-" and "+", in addition to a space already quoted as "%20". Because "+" isn't caught by the regex, path_safe finds no match. But because it does have "%", path_converter function raises a ValueError. The end result is ZPublisher creates an empty cookie value and @@z3cform_validate_field fails to parse this cookie properly.
To me this does not look like an issue with either plone.app.z3cform or plone.app.drafts (by way of plone.app.mosaic) but is rather an issue with ZPublisher doing some weird stuff. One solution would be to improve that regex. But if the goal is simply to avoid quoting an already quoted value, perhaps the regex should be ditched in favor of something like the following:
This handles cases where value is either quoted or not, but doesn't delve into the mechanics of what quote/unquote does.