View Issue Details

This bug affects 1 person(s).
 10
IDProjectCategoryView StatusLast Update
16656Bug reportsSurvey takingpublic2020-11-30 11:40
ReporterDeveloperChris Assigned Togabrieljenik  
PrioritynoneSeverityblock 
Status closedResolutionfixed 
Product Version3.23.3 
Summary16656: uploading files in chrome corrupts the response and loses the uploaded file
Description

I have been chasing a sever bug for several days now and have finally determined what is causing it

The upload file question type does not adequately escape characters and causes truncated JSON to be stored in the database because the JSON is truncated it is near impossible to recover the uploaded file.

The survey is part of a covid 19 medical response so this bug is critical for us.

Steps To Reproduce

import the attached simple LSS file it contains 2 questions a file upload and a mandatory text field the mandatory part is critical to this bug.

Activate the survey and browse to it in chrome Version 85.0.4183.102 (Official Build) (64-bit)

Add a file

in the title field add a gt symbol e.g. t'itle

Do not enter any text into the mandatory text question

Click submit.

An error occurs close the error dialogue

Now you can see that the upload question contains damaged JSON

open the developer screen in chrome (F12)

add text to the mandatory text field

Submit the form and see what is actually submitted

This also fails in firefox however the symptoms can be a bit different (at times)

Additional Information

Problem is in all versions of Limesurvey 3 prior to 3.23.3

if you include a gt '<' symbol in either the title or the comment the displayed title and comment fields are also corrupted this may mean there is an XSS exploit possible

See attached images

TagsNo tags attached.
Attached Files
Bug heat10
Complete LimeSurvey version number (& build)3.23.3
I will donate to the project if issue is resolvedYes
BrowserChrome Version 85.0.4183.102
Database type & versionN/A
Server OS (if known)N/A
Webserver software & version (if known)N/A
PHP VersionN/A

Users monitoring this issue

There are no users monitoring this issue.

Activities

DeveloperChris

DeveloperChris

2020-09-10 13:23

reporter   ~59768

I meant to say "an apostrophe" but wrote "a gt symbol" however as stated later in the submission a gt "<" symbol also causes corruption

DeveloperChris

DeveloperChris

2020-11-04 01:13

reporter   ~60523

We need a resolution on this problem.

cdorin

cdorin

2020-11-04 21:44

reporter   ~60546

@gabrieljenik, could you please take a look at this one and discuss about it later?

gabrieljenik

gabrieljenik

2020-11-05 20:18

manager   ~60570

The problem is that some encoding needs to be done to the title, comments and other fields.
We need to decide if those should be saved encoded or raw.
Will try something and get back to it.

DenisChenu

DenisChenu

2020-11-06 08:30

developer   ~60576

Last edited: 2020-11-06 08:31

My opinion : saved as row (but json_encode), encoded in js (or html) only

You can found the real name with : get from DB, json_decode

gabrieljenik

gabrieljenik

2020-11-16 19:26

manager   ~60672

Encoding the upload attributes for handling and rendering in the survey participant taking process.
Saving them raw, not encoded, as to comply with the scripts which already read the DB and expect the data that way.

Still, probably, there might be a few places where adapting may be needed.

PR: https://github.com/LimeSurvey/LimeSurvey/pull/1659

gabrieljenik

gabrieljenik

2020-11-16 19:30

manager   ~60673

To be reviewed if the same is needed on LS4.
@cdorin should I check on that?

cdorin

cdorin

2020-11-27 15:24

reporter   ~60785

@gabrieljenik, please go ahead. If yes, create a ticket and ping me in it/write me in private

gabrieljenik

gabrieljenik

2020-11-30 10:39

manager   ~60798

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=30762

lime_release_bot

lime_release_bot

2020-11-30 11:40

administrator   ~60803

Fixed in Release 3.25.2+201131

Related Changesets

LimeSurvey: 3.x-LTS 149e0239

2020-11-30 10:39:49

gabrieljenik


Committer: GitHub Details Diff
Fixed issue 16656 uploading files in chrome corrupts the response and loses the uploaded file (#1659)

* Fixed issue 16656: uploading files in chrome corrupts the response and loses the uploaded file

Encoding HTML entities of upoad attributes for handling them

* Fixed issue 16656: uploading files in chrome corrupts the response and loses the uploaded file

Saving upload attributes raw, as typed, as they were saved before the patch as to avoid having to adapt all other scripts who uses these.
Affected Issues
16656
mod - application/helpers/expressions/em_manager_helper.php Diff File
mod - application/helpers/frontend_helper.php Diff File
mod - assets/scripts/modaldialog.js Diff File
mod - assets/scripts/uploader.js Diff File

Issue History

Date Modified Username Field Change
2020-09-10 13:20 DeveloperChris New Issue
2020-09-10 13:20 DeveloperChris File Added: limesurvey_survey_733255.lss
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_14_18-test uploads-1.png
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_32_08-test uploads-2.png
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_27_47-test uploads-3.png
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_22_55-!ERROR-4.png
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_33_39-Developer Tools - test uploads - http___localhost_8080_index.php_733255-5.png
2020-09-10 13:20 DeveloperChris File Added: 2020-09-10 20_37_58-MySQL Workbench-6.png
2020-09-10 13:23 DeveloperChris Note Added: 59768
2020-11-04 01:13 DeveloperChris Note Added: 60523
2020-11-04 21:44 cdorin Note Added: 60546
2020-11-04 21:45 cdorin Assigned To => gabrieljenik
2020-11-04 21:45 cdorin Status new => assigned
2020-11-05 20:18 gabrieljenik Note Added: 60570
2020-11-06 08:30 DenisChenu Note Added: 60576
2020-11-06 08:31 DenisChenu Note Edited: 60576
2020-11-16 19:26 gabrieljenik Note Added: 60672
2020-11-16 19:30 gabrieljenik Note Added: 60673
2020-11-16 19:32 gabrieljenik Issue cloned: 16837
2020-11-27 15:24 cdorin Note Added: 60785
2020-11-30 10:39 gabrieljenik Changeset attached => LimeSurvey 3.x-LTS 149e0239
2020-11-30 10:39 gabrieljenik Note Added: 60798
2020-11-30 10:39 gabrieljenik Resolution open => fixed
2020-11-30 11:40 lime_release_bot Note Added: 60803
2020-11-30 11:40 lime_release_bot Status assigned => closed