View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001301||Main CAcert Website||account administration||public||2014-08-29 08:08||2015-01-20 20:37|
|Product Version||2014 Q3|
|Target Version||2014 Q3||Fixed in Version||2014 Q4|
|Summary||0001301: sanitizeHTML function converts input which contains non-ascii characters to an empty string|
|Description||The sanitizeHTML function which is used all over the place by the CAcert application code, returns an empty string when the input contains certain non-ascii characters, like ä or ö.|
|Steps To Reproduce||Create a new user with one or more non-ascii characters like ä or ö in her name(s), and try to assure this user. Observe that the name parts containing an 'offending' character will be displayed as empty by the application.|
|Additional Information||This problem is caused by an incompatibility between the CAcert application code and PHP 5.4. By upgrading the base operating system on the production server to Debian Wheezy, PHP has been upgraded from 5.3 to 5.4.|
The CAcert function sanitizeHTML calls the PHP function htmlentities without specifying an 'encoding' argument. The PHP5 manual says about htmlentities ao:
An optional argument defining the encoding used when converting characters.
If omitted, the default value of the encoding varies depending on the PHP version in use. In PHP 5.6 and later, the default_charset configuration option is used as the default value. PHP 5.4 and 5.5 will use UTF-8 as the default. Earlier versions of PHP use ISO-8859-1.
Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if you are using PHP 5.5 or earlier, or if your default_charset configuration option may be set incorrectly for the given input.
From this we can gather that explicitly setting default_charset in the PHP configuration won't help for PHP 5.4 or PHP 5.5, an actual application code change will be needed. Fortunately, this change is quite simple:
--- general.php.org 2014-06-07 11:23:52.000000000 +0200
+++ general.php 2014-08-29 09:33:53.711875476 +0200
@@ -664,7 +664,7 @@
- return htmlentities(strip_tags($input), ENT_QUOTES);
+ return htmlentities(strip_tags($input), ENT_QUOTES, "ISO-8859-1");
//In case of problems, please use the following line again:
//return htmlentities(strip_tags(utf8_decode($input)), ENT_QUOTES);
|Tags||No tags attached.|
|Reviewed by||NEOatNHNG, BenBE|
|Test Instructions||1. Create new user with the character ö in her lastname. 2. Try to assure this new user and observe correct display of lastname.|
||On the production server, the CAcert chroot application environment has temporarily been reverted to Debian Squeeze, with PHP 5.3, while waiting for the resolution of this problem.|
||Fix installed on testserver. Please test and review.|
I created a new user with umlauts in first and last name.
1. The user could look at his own details.
2. The user could see a location of an assurance in "MyPoints" containing umlauts.
3. The user could assure another user, having umlauts in his first and last name
=> Test PASSED
I created a new user with special characters (ä, ü, ß, ø) in first, middle and last name.
1. The user data is correctly displayed in the "My Details" page
2. The user can see a location of an assurance and an assurer namer in "My Points" containing a collection of non-ascii characters
3. The user can assure another one and sees the umlauts in the name of the other
=> Test PASSED
I checked my points wot/10 and wot/15 which showed problems on the live system.
On the test server all entries with German special charaters are visible iin the name and the location column. =>ok
||please review as we have at least 3 successful tests.|
Reminder sent to: BenBE, INOPIAE, NEOatNHNG
Can we somehow speed up the review of this tiny patch?
It is blocking completion of the upgrade of www.cacert.org to Debian Wheezy -- without that upgrade the server is much more vulnerable than we want it to be.
Review OK. Mail sent to admins.
But I guess we should also set the default_charset configuration variable in the php.ini so other string functions don't break silently too. What do you think?
The fix has been installed on the production server on October 17, 2014. See also:
|2011-06-22 00:09||edgarwahn||Source_changeset_attached||=> cacert-devel release 5b68967d|
|2014-08-29 08:08||wytze||New Issue|
|2014-08-29 08:08||wytze||Assigned To||=> BenBE|
|2014-08-29 08:11||wytze||Test Instructions||1. Create new user with the character ö in her lastname. => 1. Create new user with the character ö in her lastname. 2. Try to assure this new user and observe correct display of lastname.|
|2014-08-29 08:11||wytze||Note Added: 0004983|
|2014-08-29 22:55||BenBE||Source_changeset_attached||=> cacert-devel testserver-stable 192c3cd1|
|2014-08-29 22:55||BenBE||Source_changeset_attached||=> cacert-devel testserver-stable ea4fe47d|
|2014-08-29 22:58||BenBE||Reviewed by||=> BenBE|
|2014-08-29 22:58||BenBE||Note Added: 0004985|
|2014-08-29 22:58||BenBE||Assigned To||BenBE => NEOatNHNG|
|2014-08-29 22:58||BenBE||Status||new => needs review & testing|
|2014-08-29 23:49||felixd||Note Added: 0004986|
|2014-08-29 23:50||felixd||Note Edited: 0004986|
|2014-08-29 23:55||janmaco||Note Added: 0004987|
|2014-08-30 07:36||INOPIAE||Note Added: 0004988|
|2014-08-30 07:37||INOPIAE||Note Added: 0004989|
|2014-08-30 07:37||INOPIAE||Status||needs review & testing => needs review|
|2014-09-07 15:37||wytze||Relationship added||related to 0001241|
|2014-10-03 07:55||wytze||Note Added: 0005043|
|2014-10-16 19:10||NEOatNHNG||Source_changeset_attached||=> cacert-devel release fb720bf4|
|2014-10-16 19:54||NEOatNHNG||Reviewed by||BenBE => NEOatNHNG, BenBE|
|2014-10-16 19:54||NEOatNHNG||Note Added: 0005053|
|2014-10-16 19:54||NEOatNHNG||Status||needs review => ready to deploy|
|2014-10-17 12:59||wytze||Note Added: 0005055|
|2014-10-17 12:59||wytze||Status||ready to deploy => solved?|
|2014-10-17 12:59||wytze||Fixed in Version||=> 2014 Q4|
|2014-10-17 12:59||wytze||Resolution||open => fixed|
|2015-01-20 20:37||INOPIAE||Status||solved? => closed|