[Bug 863176] Re: Store URLs not escaped properly when logging in

Fri, 30 Sep 2011 07:21:00 -0700 

** Description changed:

  From http://bazaar.launchpad.net/~ubuntuone-control-
  tower/libubuntuone/trunk/view/head:/libubuntuone/u1-music-store.c#L1426
  
  u1_music_store_load_store_link (U1MusicStore *music_store, const gchar *url)
  {
   gchar *real_url, *oauth_consumer_token, *oauth_consumer_secret, 
*oauth_token, *oauth_token_secret;
   g_return_if_fail (U1_IS_MUSIC_STORE (music_store));
   g_return_if_fail (url != NULL);
   /* If the load_real_store callback is set up, disable it first */
   if (music_store->priv->idle_cb > 0) {
    g_source_remove (music_store->priv->idle_cb);
    music_store->priv->idle_cb = 0;
   }
   real_url = g_strdup_printf ("%s%s?forward_on_to_url=%s",
          music_store->priv->base_url,
          U1_STORE_URL,
          url);
  
  This isn't escaping the forward_on_to_url. What this means is this:
  
  music_store->priv->base_url = https://one.ubuntu.com/
  U1_STORE_URL = /music/login
  url = http://7dserver/path?q1=a&q2=b
  
  will give the URL
  
  
https://one.ubuntu.com/music/login?forward_on_to_url=http://7dserver/path?q1=a&q2=b
  
  which is wrong, because the parameter q2=b is a parameter of the
  one.ubuntu.com URL, not of the 7dserver URL. The forward_on_to_url needs
  to be escaped to http%3A//7dserver/path%3Fq1%3Da%26q2%3Db before it is
  oauth-signed.
  
  To replicate:
  1. Run Banshee
- 2. xdg-open 
'u1ms://stores.7digital.com/corporate_2/stores/productDetail.aspx?shop=496&partner=983&pid=595524&sid=17861804'
+ 2. xdg-open 
'u1ms://stores.7digital.com/stores/corporate_2/productDetail.aspx?shop=496&partner=983&pid=595524&sid=17861804'
  3. See a "My Music" green non-U1 store error page
  
  What should happen:
  3. See an Ubuntu One Music album page (if in the WORLD store territory) or an 
Ubuntu One Music error page (if not)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/863176

Title:
  Store URLs not escaped properly when logging in

To manage notifications about this bug go to:
https://bugs.launchpad.net/libubuntuone/+bug/863176/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to