View Issue Details

IDProjectCategoryView StatusLast Update
0001301Main CAcert Websiteaccount administrationpublic2015-01-20 20:37
ReporterwytzeAssigned ToNEOatNHNG 
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version2014 Q3 
Target Version2014 Q3Fixed in Version2014 Q4 
Summary0001301: sanitizeHTML function converts input which contains non-ascii characters to an empty string
DescriptionThe sanitizeHTML function which is used all over the place by the CAcert application code, returns an empty string when the input contains certain non-ascii characters, like ä or ö.
Steps To ReproduceCreate a new user with one or more non-ascii characters like ä or ö in her name(s), and try to assure this user. Observe that the name parts containing an 'offending' character will be displayed as empty by the application.
Additional InformationThis problem is caused by an incompatibility between the CAcert application code and PHP 5.4. By upgrading the base operating system on the production server to Debian Wheezy, PHP has been upgraded from 5.3 to 5.4.
The CAcert function sanitizeHTML calls the PHP function htmlentities without specifying an 'encoding' argument. The PHP5 manual says about htmlentities ao:
---
 encoding

    An optional argument defining the encoding used when converting characters.

    If omitted, the default value of the encoding varies depending on the PHP version in use. In PHP 5.6 and later, the default_charset configuration option is used as the default value. PHP 5.4 and 5.5 will use UTF-8 as the default. Earlier versions of PHP use ISO-8859-1.

    Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if you are using PHP 5.5 or earlier, or if your default_charset configuration option may be set incorrectly for the given input.
---
From this we can gather that explicitly setting default_charset in the PHP configuration won't help for PHP 5.4 or PHP 5.5, an actual application code change will be needed. Fortunately, this change is quite simple:

--- general.php.org 2014-06-07 11:23:52.000000000 +0200
+++ general.php 2014-08-29 09:33:53.711875476 +0200
@@ -664,7 +664,7 @@

        function sanitizeHTML($input)
        {
- return htmlentities(strip_tags($input), ENT_QUOTES);
+ return htmlentities(strip_tags($input), ENT_QUOTES, "ISO-8859-1");
                //In case of problems, please use the following line again:
                //return htmlentities(strip_tags(utf8_decode($input)), ENT_QUOTES);
                //return htmlspecialchars(strip_tags($input));

TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions1. Create new user with the character ö in her lastname. 2. Try to assure this new user and observe correct display of lastname.

Relationships

related to 0001241 needs feedbackjandd cacert.org SSL/TLS configuration is bad on many levels 

Activities

wytze

2014-08-29 08:11

developer   ~0004983

On the production server, the CAcert chroot application environment has temporarily been reverted to Debian Squeeze, with PHP 5.3, while waiting for the resolution of this problem.

BenBE

2014-08-29 22:58

updater   ~0004985

Fix installed on testserver. Please test and review.

felixd

2014-08-29 23:49

updater   ~0004986

Last edited: 2014-08-29 23:50

View 2 revisions

I created a new user with umlauts in first and last name.
 1. The user could look at his own details.
 2. The user could see a location of an assurance in "MyPoints" containing umlauts.
 3. The user could assure another user, having umlauts in his first and last name

=> Test PASSED

janmaco

2014-08-29 23:55

updater   ~0004987

I created a new user with special characters (ä, ü, ß, ø) in first, middle and last name.
1. The user data is correctly displayed in the "My Details" page
2. The user can see a location of an assurance and an assurer namer in "My Points" containing a collection of non-ascii characters
3. The user can assure another one and sees the umlauts in the name of the other

=> Test PASSED

INOPIAE

2014-08-30 07:36

updater   ~0004988

I checked my points wot/10 and wot/15 which showed problems on the live system.
On the test server all entries with German special charaters are visible iin the name and the location column. =>ok

=>ok

INOPIAE

2014-08-30 07:37

updater   ~0004989

please review as we have at least 3 successful tests.

wytze

2014-10-03 07:55

developer   ~0005043

Reminder sent to: BenBE, INOPIAE, NEOatNHNG

Can we somehow speed up the review of this tiny patch?
It is blocking completion of the upgrade of www.cacert.org to Debian Wheezy -- without that upgrade the server is much more vulnerable than we want it to be.

NEOatNHNG

2014-10-16 19:54

administrator   ~0005053

Review OK. Mail sent to admins.

But I guess we should also set the default_charset configuration variable in the php.ini so other string functions don't break silently too. What do you think?

wytze

2014-10-17 12:59

developer   ~0005055

The fix has been installed on the production server on October 17, 2014. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00006.html

Issue History

Date Modified Username Field Change
2011-06-22 00:09 edgarwahn Source_changeset_attached => cacert-devel release 5b68967d
2014-08-29 08:08 wytze New Issue
2014-08-29 08:08 wytze Assigned To => BenBE
2014-08-29 08:11 wytze Test Instructions 1. Create new user with the character ö in her lastname. => 1. Create new user with the character ö in her lastname. 2. Try to assure this new user and observe correct display of lastname.
2014-08-29 08:11 wytze Note Added: 0004983
2014-08-29 22:55 BenBE Source_changeset_attached => cacert-devel testserver-stable 192c3cd1
2014-08-29 22:55 BenBE Source_changeset_attached => cacert-devel testserver-stable ea4fe47d
2014-08-29 22:58 BenBE Reviewed by => BenBE
2014-08-29 22:58 BenBE Note Added: 0004985
2014-08-29 22:58 BenBE Assigned To BenBE => NEOatNHNG
2014-08-29 22:58 BenBE Status new => needs review & testing
2014-08-29 23:49 felixd Note Added: 0004986
2014-08-29 23:50 felixd Note Edited: 0004986 View Revisions
2014-08-29 23:55 janmaco Note Added: 0004987
2014-08-30 07:36 INOPIAE Note Added: 0004988
2014-08-30 07:37 INOPIAE Note Added: 0004989
2014-08-30 07:37 INOPIAE Status needs review & testing => needs review
2014-09-07 15:37 wytze Relationship added related to 0001241
2014-10-03 07:55 wytze Note Added: 0005043
2014-10-16 19:10 NEOatNHNG Source_changeset_attached => cacert-devel release fb720bf4
2014-10-16 19:54 NEOatNHNG Reviewed by BenBE => NEOatNHNG, BenBE
2014-10-16 19:54 NEOatNHNG Note Added: 0005053
2014-10-16 19:54 NEOatNHNG Status needs review => ready to deploy
2014-10-17 12:59 wytze Note Added: 0005055
2014-10-17 12:59 wytze Status ready to deploy => solved?
2014-10-17 12:59 wytze Fixed in Version => 2014 Q4
2014-10-17 12:59 wytze Resolution open => fixed
2015-01-20 20:37 INOPIAE Status solved? => closed