** Description changed: From http://bazaar.launchpad.net/~ubuntuone-control- tower/libubuntuone/trunk/view/head:/libubuntuone/u1-music-store.c#L1426 u1_music_store_load_store_link (U1MusicStore *music_store, const gchar *url) { - gchar *real_url, *oauth_consumer_token, *oauth_consumer_secret, *oauth_token, *oauth_token_secret; - g_return_if_fail (U1_IS_MUSIC_STORE (music_store)); - g_return_if_fail (url != NULL); - /* If the load_real_store callback is set up, disable it first */ - if (music_store->priv->idle_cb > 0) { - g_source_remove (music_store->priv->idle_cb); - music_store->priv->idle_cb = 0; - } - real_url = g_strdup_printf ("%s%s?forward_on_to_url=%s", - music_store->priv->base_url, - U1_STORE_URL, - url); + gchar *real_url, *oauth_consumer_token, *oauth_consumer_secret, *oauth_token, *oauth_token_secret; + g_return_if_fail (U1_IS_MUSIC_STORE (music_store)); + g_return_if_fail (url != NULL); + /* If the load_real_store callback is set up, disable it first */ + if (music_store->priv->idle_cb > 0) { + g_source_remove (music_store->priv->idle_cb); + music_store->priv->idle_cb = 0; + } + real_url = g_strdup_printf ("%s%s?forward_on_to_url=%s", + music_store->priv->base_url, + U1_STORE_URL, + url); This isn't escaping the forward_on_to_url. What this means is this: music_store->priv->base_url = https://one.ubuntu.com/ U1_STORE_URL = /music/login url = http://7dserver/path?q1=a&q2=b will give the URL https://one.ubuntu.com/music/login?forward_on_to_url=http://7dserver/path?q1=a&q2=b which is wrong, because the parameter q2=b is a parameter of the one.ubuntu.com URL, not of the 7dserver URL. The forward_on_to_url needs to be escaped to http%3A//7dserver/path%3Fq1%3Da%26q2%3Db before it is oauth-signed. + + To replicate: + 1. Run Banshee + 2. xdg-open 'u1ms://stores.7digital.com/corporate_2/stores/productDetail.aspx?shop=496&partner=983&pid=595524&sid=17861804' + 3. See a "My Music" green non-U1 store error page + + What should happen: + 3. See an Ubuntu One album page
** Description changed: From http://bazaar.launchpad.net/~ubuntuone-control- tower/libubuntuone/trunk/view/head:/libubuntuone/u1-music-store.c#L1426 u1_music_store_load_store_link (U1MusicStore *music_store, const gchar *url) { gchar *real_url, *oauth_consumer_token, *oauth_consumer_secret, *oauth_token, *oauth_token_secret; g_return_if_fail (U1_IS_MUSIC_STORE (music_store)); g_return_if_fail (url != NULL); /* If the load_real_store callback is set up, disable it first */ if (music_store->priv->idle_cb > 0) { g_source_remove (music_store->priv->idle_cb); music_store->priv->idle_cb = 0; } real_url = g_strdup_printf ("%s%s?forward_on_to_url=%s", music_store->priv->base_url, U1_STORE_URL, url); This isn't escaping the forward_on_to_url. What this means is this: music_store->priv->base_url = https://one.ubuntu.com/ U1_STORE_URL = /music/login url = http://7dserver/path?q1=a&q2=b will give the URL https://one.ubuntu.com/music/login?forward_on_to_url=http://7dserver/path?q1=a&q2=b which is wrong, because the parameter q2=b is a parameter of the one.ubuntu.com URL, not of the 7dserver URL. The forward_on_to_url needs to be escaped to http%3A//7dserver/path%3Fq1%3Da%26q2%3Db before it is oauth-signed. To replicate: 1. Run Banshee 2. xdg-open 'u1ms://stores.7digital.com/corporate_2/stores/productDetail.aspx?shop=496&partner=983&pid=595524&sid=17861804' 3. See a "My Music" green non-U1 store error page What should happen: - 3. See an Ubuntu One album page + 3. See an Ubuntu One Music album page (if in the WORLD store territory) or an Ubuntu One Music error page (if not) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/863176 Title: Store URLs not escaped properly when logging in To manage notifications about this bug go to: https://bugs.launchpad.net/libubuntuone/+bug/863176/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
