Bug #35090
base64-encode of URI-transferred serialized objects
| Status: | Resolved | Start date: | 2012-03-21 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Adrian Föder | % Done: | 100% |
|
| Category: | - | |||
| Target version: | - | |||
| Has patch: | Yes | Affected Flow version: | Git master |
Description
At least Fluid-Widgets add a serialized object to links in order to transfer them across requests.
Maybe it's considerable to base64-encode these serialized objects to avoid problems like the suhosin's null-byte-omission.
Additional explanation: serialized objects contain NULL bytes if a property of the object is protected.
Associated revisions
[BUGFIX] Base64-encode widget context
In order to avoid various null-byte-issues as they occur
when serializing an object with protected members (see
[1]); for example with Suhosin or some reverse proxy
implementations; the context object is transferred
in a Base64 encoded state now.
As there is no need to urlencode it anymore, this additionally
saves some bytes.
[1] http://php.net/serialize section "Parameters", subsection Note
Fixes: #35090
Releases: master
Change-Id: Idc9d1bbd944324db0f24ff3ac7fed766d2c473b1
History
#1 Updated by Adrian Föder over 3 years ago
- Assigned To set to Bastian Waidelich
#2 Updated by Bastian Waidelich almost 3 years ago
- Assigned To deleted (
Bastian Waidelich)
Mh, base64 encoding sounds a bit "expensive" to me, but I can't really judge this atm.
I unassign myself for now so someone else can comment on this
#3 Updated by Adrian Föder about 2 years ago
another reason would be that, apparently, the Pound (http://linux.die.net/man/8/pound) does also not support NULL bytes in URIs: http://www.apsis.ch/pound/pound_list/archive/2012/2012-07/1341212883000/index_html?fullMode=1#1341341716000
#4 Updated by Adrian Föder about 2 years ago
- Category set to MVC
- Status changed from New to Accepted
- Assigned To set to Adrian Föder
#5 Updated by Adrian Föder about 2 years ago
- Project changed from TYPO3.Flow to TYPO3.Fluid
- Category deleted (
MVC)
#6 Updated by Adrian Föder about 2 years ago
- Subject changed from Evaluate base64_encoding of URI-transferred serialized objects to base64-encode of URI-transferred serialized objects
#7 Updated by Adrian Föder about 2 years ago
as a side note, the URI length w/o base64 encoding, resulting in the need to urlencode it, is 546 bytes; where the base64 encoded variant is 516 characters long.
#8 Updated by Gerrit Code Review about 2 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/22264
#9 Updated by Adrian Föder about 2 years ago
- Tracker changed from Task to Bug
- Has patch changed from No to Yes
- Affected Flow version set to Git master
changed to Bug because the current behavior will definitely break for the mentioned circumstances (using Suhosin)
#10 Updated by Gerrit Code Review about 2 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/22264
#11 Updated by Adrian Föder about 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f53ee1c679c828874d5ffec565b6eb202ade9040.