View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
18343Bug reportsOtherpublic2022-09-23 17:49
Reporter2BITS_PL Assigned ToDenisChenu  
PrioritynoneSeverityblock 
Status ready for testingResolutionopen 
Product Version3.28.x 
Summary18343: Problem with interpreting double slash in an URL (IIS)
Description

Hello, in our internal testing, we noticed that the app was showing us CHttpException errors when there is a double slash in the URL.

This is the case if you run CKEditor while editing the notification template (inside the survey) as the question ID and group ID are NULL. So the URL in this case would be: "...gui//qid/"
As a result, the application returns to us the error: "Invalid group ID" in the \core\ Survey_Common_Action.php application (165)

if ((string) (int) $ params ['iGroupId']! == (string) $ params ['iGroupId']) {
throw a new CHttpException (403, gT ("Invalid group ID"));
}

The question is how to fix it?
The easiest solution for us is to cast types inside the htmledtior_helper.php file for the getPopupEditor () and getInlineEditor () functions. It will then insert zero in place of the blank values, which makes the URL work.

Steps To Reproduce

Steps to reproduce

After launching the project in IIS, when we call, for example, the URL:
admin/limereplacementfields/sa/index/fieldtype/email_invitation_pl/action/editemailtemplates/surveyid/736525/gid//qid/

It mainly occurs when CKEditor is running as an inline or popup

Expected result

It should display the page linked to.

Actual result

Returns CHttpException "Invalid group id"

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)Version 3.28.24+220816
I will donate to the project if issue is resolvedNo
Browser
Database type & versionSQL Server 2019
Server OS (if known)Microsoft Server 2019
Webserver software & version (if known)
PHP Versionv7.4.15 NTS x64

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

gabrieljenik

gabrieljenik

2022-09-12 14:02

manager   ~71674

In the following url

admin/limereplacementfields/sa/index/fieldtype/email_invitation_pl/action/editemailtemplates/surveyid/736525/gid//qid/

Isnt the GID missing actually?
Do you type the URL or you get by following some UI action?

2BITS_PL

2BITS_PL

2022-09-12 14:46

reporter   ~71677

Yes, in fact both GID and QID are missing. I have provided a URL to make testing easier. But their absence can also be checked in the demo version (https://demo.limesurvey.org/), if we open the CKEditor (popup), the url shows that gid and qid do not have an id. In the case of IIS, this causes an error message (I haven't tested version 5.x in our environment, but I suppose the problem will be too).

In a moment I will prepare screenshots of our local environment for version 3.28 and a description of how to invoke them.

DenisChenu

DenisChenu

2022-09-12 15:05

developer   ~71678

Last edited: 2022-09-12 15:11

I can not reproduce

  1. gid is set
  2. even removing manually gid Question:/type/question-text/action/editquestion/sid/574436/gid//qid/10512/lang/en : no problem
  3. Checked with qid// to

See https://github.com/LimeSurvey/LimeSurvey/blob/2429adf6e624928e640de623fe499b46968274a9/application/core/Survey_Common_Action.php#L162

We check !empty at line 163 …

DenisChenu

DenisChenu

2022-09-12 15:11

developer   ~71680

Last edited: 2022-09-12 15:13

Can not reproduce : are you sure your version is uptodate ?
(see code)

But right : js can be updated on email : …/admin/htmleditor_pop/sa/index/name/email_admin_notification_en/text/Basic admin notification email body:(en)/type/email_admin_notification_en/action/editemailtemplates/sid/574436/gid//qid//lang/en

DenisChenu

DenisChenu

2022-09-12 16:46

developer   ~71682

Oh need IIS + path format …

How do you configure IIS and PATH format ?
I have IIS with PHP setup, but have get format only : /index.php?r=admin/htmleditor_pop/sa/index/name/email_admin_notification_en/text/Basic admin notification email body:(en)/type/email_admin_notification_en/action/editemailtemplates/sid/754644/gid//qid//lang/en

Maybe it's something that can be fixed with configuration ?
It can be interesting to have it on manual
https://manual.limesurvey.org/General_FAQ#How_can_I_remove_index.php_from_the_URL_path_to_get_a_shorter_URL

(and then : i can check on my dev IIS server).

DenisChenu

DenisChenu

2022-09-12 18:04

developer   ~71684

No : i mean by default on IIS : rewrite is not activated : url is set to path

All start by /index.php?r=
Seems you didn't have , but on my instance : i have it

Your url seems : /index.php/admin/htmleditor_pop
Mine /index.php?r=admin/htmleditor_pop

https://manual.limesurvey.org/Optional_settings/en#URL_settings

Maybe try to set url to get in config.php and check.
(i think it didn't work on IIS …)

2BITS_PL

2BITS_PL

2022-09-13 10:44

reporter   ~71700

I confirm that the problem is with the "path".
After changing the configuration to 'get' - it works.

But for us, this is not a solution as our top-down guidelines say that addresses must be user-friendly.

DenisChenu

DenisChenu

2022-09-13 12:01

developer   ~71702

OK : but need confirmation before.

Then IIS allow path with showScriptName = false or only with showScriptName = true ?

DenisChenu

DenisChenu

2022-09-14 09:43

developer   ~71707

Yep : i think we must NOT send empty value (or send 0 if we can really not doing differently)

2BITS_PL

2BITS_PL

2022-09-14 09:44

reporter   ~71708

He understands that when faced with the problem of the "path" it must be solved in a global context.
But the reported problem was only visible in CKEditor. And the fastest solution for us is to cast to integer for $gID and $qID in the getEditor method (application\helpers\admin\htmleditor_helper.php)

DenisChenu

DenisChenu

2022-09-14 09:45

developer   ~71709

PS: starting the web.config system on manual still a good idea :).

You know how to deny access to ^/upload/surveys/./fu_[a-z0-9]$ files ?
And maybe to ^/(application|docs|framework|locale|protected|tests|themes/\w+/views) ? too.

Denis

DenisChenu

DenisChenu

2022-09-22 18:44

developer   ~71897

https://github.com/LimeSurvey/LimeSurvey/pull/2630

DenisChenu

DenisChenu

2022-09-23 17:49

developer   ~71922

@2BITS_PL : can you test https://github.com/LimeSurvey/LimeSurvey/pull/2630 please ?

Issue History

Date Modified Username Field Change
2022-09-12 13:40 2BITS_PL New Issue
2022-09-12 14:02 gabrieljenik Note Added: 71674
2022-09-12 14:02 gabrieljenik Bug heat 0 => 2
2022-09-12 14:02 gabrieljenik Status new => feedback
2022-09-12 14:46 2BITS_PL Note Added: 71677
2022-09-12 14:46 2BITS_PL Bug heat 2 => 4
2022-09-12 14:46 2BITS_PL Status feedback => new
2022-09-12 15:05 DenisChenu Note Added: 71678
2022-09-12 15:05 DenisChenu Bug heat 4 => 6
2022-09-12 15:11 DenisChenu Note Edited: 71678
2022-09-12 15:11 DenisChenu Assigned To => DenisChenu
2022-09-12 15:11 DenisChenu Status new => feedback
2022-09-12 15:11 DenisChenu Note Added: 71680
2022-09-12 15:13 DenisChenu Note Edited: 71680
2022-09-12 16:41 2BITS_PL Status feedback => assigned
2022-09-12 16:46 DenisChenu Note Added: 71682
2022-09-12 18:04 DenisChenu Note Added: 71684
2022-09-13 10:44 2BITS_PL Note Added: 71700
2022-09-13 12:01 DenisChenu Note Added: 71702
2022-09-14 09:43 DenisChenu Note Added: 71707
2022-09-14 09:44 2BITS_PL Note Added: 71708
2022-09-14 09:45 DenisChenu Note Added: 71709
2022-09-22 18:44 DenisChenu Assigned To DenisChenu => gabrieljenik
2022-09-22 18:44 DenisChenu Status assigned => ready for code review
2022-09-22 18:44 DenisChenu Note Added: 71897
2022-09-23 15:12 gabrieljenik Assigned To gabrieljenik => DenisChenu
2022-09-23 15:12 gabrieljenik Status ready for code review => ready for testing
2022-09-23 17:49 DenisChenu Note Added: 71922