SF Bug #3036033 - Error if CN begins with a % sign

htdocs/add_attr_form.php

@@ -169,7 +169,7 @@ if (get_request('meth','REQUEST') != 'ajax') {
 	echo '<td valign="top" align="center">';
 
 	printf('<select name="attr" onchange="ajDISPLAY(\'%s\',\'cmd=add_value_form&server_id=%s&dn=%s&attr=\'+this.value,\'%s\',\'append\');">',
-		'ADDATTR',$app['server']->getIndex(),rawurlencode(get_request('dn','REQUEST')),_('Please Wait'));
+		'ADDATTR',$app['server']->getIndex(),$request['template']->getDNEncode(),_('Please Wait'));
 
 	printf('<option value="%s">%s</option>','','');
 	foreach ($request['template']->getAvailAttrs() as $attribute)

htdocs/create.php

@@ -64,11 +64,11 @@ if ($add_result) {
 
 	else if ($action_number == 2)
 		$redirect_url = sprintf('cmd.php?%s&template=%s&container=%s',
-			$href,'default',rawurlencode($request['template']->getContainer()));
+			$href,'default',$request['template']->getContainerEncode());
 
 	else
 		$redirect_url = sprintf('cmd.php?%s&template=%s&dn=%s',
-			$href,'default',rawurlencode($request['template']->getDN()));
+			$href,'default',$request['template']->getDNEncode());
 
 	if ($action_number == 1 || $action_number == 2)
 		printf('<meta http-equiv="refresh" content="0; url=%s" />',$redirect_url);

htdocs/create_confirm.php

@@ -65,7 +65,7 @@ if (count($request['template']->getLDAPadd(true))) {
 	echo '<div>';
 	echo '<input type="hidden" name="cmd" value="create" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="container" value="%s" />',htmlspecialchars($request['template']->getContainer()));
+	printf('<input type="hidden" name="container" value="%s" />',$request['template']->getContainerEncode(false));
 	printf('<input type="hidden" name="template" value="%s" />',$request['template']->getID());
 	foreach ($request['template']->getRDNAttrs() as $rdn)
 		printf('<input type="hidden" name="rdn_attribute[]" value="%s" />',htmlspecialchars($rdn));
@@ -127,7 +127,7 @@ if (count($request['template']->getLDAPadd(true))) {
 
 } else {
 	$href = sprintf('cmd=template_engine&server_id=%s&dn=%s',
-		$app['server']->getIndex(),rawurlencode($request['dn']));
+		$app['server']->getIndex(),$request['template']->getDNEncode());
 
 	echo '<div style="text-align: center;">';
 	echo _('You made no changes');

htdocs/update.php

@@ -64,7 +64,7 @@ if ($result) {
 	}
 
 	$redirect_url = sprintf('cmd.php?cmd=template_engine&server_id=%s&dn=%s',
-		$app['server']->getIndex(),rawurlencode($request['dn']));
+		$app['server']->getIndex(),$request['template']->getDNEncode());
 
 	foreach ($request['template']->getLDAPmodify() as $attr => $junk)
 		$redirect_url .= sprintf('&modified_attrs[]=%s',$attr);

htdocs/update_confirm.php

@@ -42,7 +42,7 @@ if (count($request['template']->getLDAPmodify(true))) {
 	echo '<div>';
 	echo '<input type="hidden" name="cmd" value="update" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+	printf('<input type="hidden" name="dn" value="%s" />',$request['template']->getDNEncode(false));
 	echo "\n";
 
 	$request['page']->drawHiddenAttributes();
@@ -221,7 +221,7 @@ if (count($request['template']->getLDAPmodify(true))) {
 
 } else {
 	$href = sprintf('cmd=template_engine&server_id=%s&dn=%s',
-		 $app['server']->getIndex(),rawurlencode($request['dn']));
+		 $app['server']->getIndex(),$request['template']->getDNEncode());
 
 	echo '<div style="text-align: center;">';
 	echo _('You made no changes');

lib/AJAXTree.php

@@ -57,7 +57,7 @@ class AJAXTree extends HTMLTree {
 			return '';
 
 		# Get our children.
-		$child_count = $this->readChildrenNumber($item);
+		$child_count = $this->readChildrenNumber($entry->getDN());
 
 		$nb = 0;
 		if ($first_child)
@@ -81,12 +81,12 @@ class AJAXTree extends HTMLTree {
 		$new_code = array('1','1','0','0');
 
 		# Links
-		$parms['openclose'] = htmlspecialchars(sprintf('server_id=%s&dn=%s&code=%s%s',$this->getServerID(),rawurlencode($item),$code,$new_code[$nb]));
-		$parms['edit'] = htmlspecialchars(sprintf('cmd=template_engine&server_id=%s&dn=%s',$this->getServerID(),rawurlencode($item)));
+		$parms['openclose'] = htmlspecialchars(sprintf('server_id=%s&dn=%s&code=%s%s',$this->getServerID(),$entry->getDNEncode(),$code,$new_code[$nb]));
+		$parms['edit'] = htmlspecialchars(sprintf('cmd=template_engine&server_id=%s&dn=%s',$this->getServerID(),$entry->getDNEncode()));
 		$href = sprintf('cmd.php?%s',$parms['edit']);
 
 		# Each node has a unique id based on dn
-		$node_id = sprintf('node%s',base64_encode(sprintf('%s-%s',$server->getIndex(),$item)));
+		$node_id = sprintf('node%s',base64_encode(sprintf('%s-%s',$server->getIndex(),$entry->getDN())));
 		$node_id = str_replace('=','_',$node_id);
 
 		if ($level == 0)
@@ -110,12 +110,12 @@ class AJAXTree extends HTMLTree {
 			echo '</a>';
 		}
 
-		printf('<a href="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');" title="%s" >',$href,$parms['edit'],_('Retrieving DN'),htmlspecialchars($item));
+		printf('<a href="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');" title="%s" >',$href,$parms['edit'],_('Retrieving DN'),htmlspecialchars($entry->getDN()));
 		printf('<span class="dnicon"><img id="jt%sfolder" src="%s/%s" alt="->" class="imgs" style="border: 0px; vertical-align:text-top;" /></span>',$node_id,IMGDIR,$entry->getIcon($server));
 		echo '</a>';
 
 		echo '&nbsp;';
-		printf('<a href="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');" title="%s" class="phplm">',$href,$parms['edit'],_('Retrieving DN'),htmlspecialchars($item));
+		printf('<a href="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');" title="%s" class="phplm">',$href,$parms['edit'],_('Retrieving DN'),htmlspecialchars($entry->getDN()));
 		echo $this->get_formatted_dn($entry,$level-1);
 		echo ($child_count ? (sprintf(' (%s%s)',$child_count,($entry->isSizeLimited() ? '+' : ''))) : '');
 		echo '</a>';
@@ -264,7 +264,7 @@ class AJAXTree extends HTMLTree {
 
 		$output = '';
 
-		$href = sprintf('cmd=template_engine&server_id=%s&container=%s',$this->getServerID(),rawurlencode($entry->getDN()));
+		$href = sprintf('cmd=template_engine&server_id=%s&container=%s',$this->getServerID(),$entry->getDNEncode());
 
 		$output .= $this->get_indentation($level);
 		$output .= sprintf('<img src="%s" alt="--" class="imgs" style="border: 0px; vertical-align:text-top;" />',$img);

lib/Query.php

@@ -195,6 +195,14 @@ class Query extends xmlTemplate {
 		return $this->dn;
 	}
 
+	public function getDNEncode($url=true) {
+		// @todo Be nice to do all this in 1 location
+		if ($url)
+			return urlencode(preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->dn));
+		else
+			return preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->dn);
+	}
+
 	public function getAttrSortOrder() {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',5,0,__FILE__,__LINE__,__METHOD__,$fargs);

lib/QueryRender.php

@@ -273,7 +273,7 @@ class QueryRender extends PageRender {
 						printf('<td class="icon"><img src="%s/%s" alt="icon" /></td>',IMGDIR,get_icon($server->getIndex(),$dndetails['dn']));
 
 						printf('<td colspan="2"><a href="cmd.php?cmd=template_engine&amp;server_id=%s&amp;dn=%s">%s</a></td>',
-							$server->getIndex(),rawurlencode($dndetails['dn']),htmlspecialchars(get_rdn($dndetails['dn'])));
+							$server->getIndex(),$this->template->getDNEncode(),htmlspecialchars(get_rdn($dndetails['dn'])));
 						echo '</tr>';
 
 						printf('<tr class="list_item"><td class="blank">&nbsp;</td><td class="heading">dn</td><td class="value">%s</td></tr>',
@@ -363,7 +363,7 @@ class QueryRender extends PageRender {
 						if ($_SESSION[APPCONFIG]->getValue('mass','enabled'))
 							printf('<td><input type="checkbox" id="ma_%s" name="dn[]" value="%s" onclick="this.checked=!this.checked;" /></td>',$j,$dndetails['dn']);
 
-						$href = sprintf('cmd=template_engine&server_id=%s&dn=%s',$server->getIndex(),rawurlencode($dndetails['dn']));
+						$href = sprintf('cmd=template_engine&server_id=%s&dn=%s',$server->getIndex(),$this->template->getDNEncode());
 						printf('<td class="icon"><a href="cmd.php?%s"><img src="%s/%s" alt="icon" /></a></td>',
 							htmlspecialchars($href),
 							IMGDIR,get_icon($server->getIndex(),$dndetails['dn']));

lib/Template.php

@@ -634,6 +634,14 @@ class Template extends xmlTemplate {
 			return $this->getRDN();
 	}
 
+	public function getDNEncode($url=true) {
+		// @todo Be nice to do all this in 1 location
+		if ($url)
+			return urlencode(preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->getDN()));
+		else
+			return preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->getDN());
+	}
+
 	/**
 	 * Set the container for this template, if we are creating entries
 	 *
@@ -665,6 +673,14 @@ class Template extends xmlTemplate {
 		return $this->container;
 	}
 
+	public function getContainerEncode($url=true) {
+		// @todo Be nice to do all this in 1 location
+		if ($url)
+			return urlencode(preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->container));
+		else
+			return preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->container);
+	}
+
 	/**
 	 * Copy a DN
 	 */

lib/TemplateRender.php

@@ -53,7 +53,7 @@ class TemplateRender extends PageRender {
 				parent::accept();
 
 			$this->url_base = sprintf('server_id=%s&dn=%s',
-				$this->getServerID(),rawurlencode($this->template->getDN()));
+				$this->getServerID(),$this->template->getDNEncode());
 			$this->layout['hint'] = sprintf('<td class="icon"><img src="%s/light.png" alt="%s" /></td><td colspan="3"><span class="hint">%%s</span></td>',
 				IMGDIR,_('Hint'));
 			$this->layout['action'] = '<td class="icon"><img src="%s/%s" alt="%s" /></td><td><a href="cmd.php?%s" title="%s">%s</a></td>';
@@ -646,7 +646,7 @@ class TemplateRender extends PageRender {
 
 		} elseif ($this->template->getContext() == 'copyasnew') {
 			$this->drawStepFormStart($this->page);
-			printf('<input type="hidden" name="container" value="%s" />',htmlspecialchars($this->template->getContainer()));
+			printf('<input type="hidden" name="container" value="%s" />',$this->template->getContainer(false));
 			echo '<div><table>';
 			$this->drawRDNChooser();
 			echo '</table></div>';
@@ -699,7 +699,7 @@ class TemplateRender extends PageRender {
 					break;
 
 				case 'modification':
-					$title = get_rdn($this->dn);
+					$title = htmlspecialchars(get_rdn($this->dn));
 					break;
 
 				default:
@@ -1188,7 +1188,7 @@ class TemplateRender extends PageRender {
 
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
-		$href = sprintf('cmd=template_engine&server_id=%s&container=%s',$this->getServerID(),rawurlencode($this->template->getDN()));
+		$href = sprintf('cmd=template_engine&server_id=%s&container=%s',$this->getServerID(),$this->template->getDNEncode());
 
 		if (isAjaxEnabled())
 			return sprintf($this->layout['actionajax'],IMGDIR,'create.png',_('Create'),
@@ -1227,7 +1227,7 @@ class TemplateRender extends PageRender {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
 		$href = sprintf('cmd=query_engine&server_id=%s&filter=%s&base=%s&scope=one&query=none&size_limit=0&search=true',
-			$this->getServerID(),rawurlencode('objectClass=*'),rawurlencode($this->template->getDN()));
+			$this->getServerID(),rawurlencode('objectClass=*'),$this->template->getDNEncode());
 
 		if (isAjaxEnabled())
 			return sprintf($this->layout['actionajax'],IMGDIR,'children.png',_('Children'),
@@ -1389,7 +1389,7 @@ class TemplateRender extends PageRender {
 
 		echo '<div>';
 		printf('<input type="hidden" name="server_id" value="%s" />',$this->getServerID());
-		printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($this->template->getDN()));
+		printf('<input type="hidden" name="dn" value="%s" />',$this->template->getDNEncode(false));
 		printf('<input type="hidden" name="template" value="%s" />',$this->template->getID());
 		echo '</div>';
 
@@ -1514,7 +1514,7 @@ class TemplateRender extends PageRender {
 				$this->drawObjectClassChooser();
 
 		} else {
-			printf('<input type="hidden" name="container" value="%s" />',htmlspecialchars($this->template->getContainer()));
+			printf('<input type="hidden" name="container" value="%s" />',$this->template->getContainerEncode(false));
 			echo '</div>';
 
 			echo '<table class="entry" cellspacing="0" border="0" style="margin-left: auto; margin-right: auto;">';
@@ -2075,7 +2075,7 @@ function fillRec(id,value) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
 		$href_parm = htmlspecialchars(sprintf('cmd=add_value_form&server_id=%s&dn=%s&attr=%s',
-			$this->getServerID(),rawurlencode($this->template->getDN()),rawurlencode($attribute->getName(false))));
+			$this->getServerID(),$this->template->getDNEncode(),rawurlencode($attribute->getName(false))));
 
 		if (isAjaxEnabled())
 			return sprintf('(<a href="cmd.php?%s" title="%s %s" onclick="return ajDISPLAY(\'ADDVALUE%s\',\'%s&amp;raw=1\',\'%s\',1);">%s</a>)',
@@ -2093,7 +2093,7 @@ function fillRec(id,value) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
 		$href_parm = htmlspecialchars(sprintf('cmd=add_value_form&server_id=%s&dn=%s&attr=%s',
-			$this->getServerID(),rawurlencode($this->template->getDN()),rawurlencode($attribute->getName(false))));
+			$this->getServerID(),$this->template->getDNEncode(),rawurlencode($attribute->getName(false))));
 
 		if (isAjaxEnabled())
 			return sprintf('(<a href="cmd.php?%s" title="%s %s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');">%s</a>)',
@@ -2111,7 +2111,7 @@ function fillRec(id,value) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
 		$href = sprintf('cmd=modify_member_form&server_id=%s&dn=%s&attr=%s',
-			$this->getServerID(),rawurlencode($this->template->getDN()),rawurlencode($attribute->getName()));
+			$this->getServerID(),$this->template->getDNEncode(),rawurlencode($attribute->getName()));
 
 		if (isAjaxEnabled())
 			return sprintf('(<a href="cmd.php?%s" title="%s: %s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');">%s</a>)',
@@ -2130,7 +2130,7 @@ function fillRec(id,value) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
 		$href = sprintf('cmd.php?cmd=rename_form&server_id=%s&dn=%s&template=%s',
-			$this->getServerID(),rawurlencode($this->template->getDN()),$this->template->getID());
+			$this->getServerID(),$this->template->getDNEncode(),$this->template->getID());
 
 		return sprintf('<small>(<a href="%s">%s</a>)</small>',htmlspecialchars($href),_('rename'));
 	}
@@ -2285,7 +2285,7 @@ function fillRec(id,value) {
 		echo '<!-- This form is submitted by JavaScript when the user clicks "Delete attribute" on a binary attribute -->';
 		echo '<form id="delete_attribute_form" action="cmd.php?cmd=delete_attr" method="post">';
 		printf('<input type="hidden" name="server_id" value="%s" />',$this->getServerID());
-		printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($this->template->getDN()));
+		printf('<input type="hidden" name="dn" value="%s" />',$this->template->getDNEncode());
 		printf('<input type="hidden" name="template" value="%s" />',$this->template->getID());
 		echo '<input type="hidden" name="attr" value="FILLED IN BY JAVASCRIPT" />';
 		echo '<input type="hidden" name="index" value="FILLED IN BY JAVASCRIPT" />';

lib/TreeItem.php

@@ -58,6 +58,10 @@ class TreeItem {
 		return $this->dn;
 	}
 
+	public function getDNEncode() {
+		return urlencode(preg_replace('/%([0-9a-fA-F]+)/',"%25\\1",$this->dn));
+	}
+
 	/**
 	 * Get the RDN of this tree items DN.
 	 *