OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



"~" URL issue

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

"~" URL issue

Postby yhan » Fri Jun 21, 2013 2:52 pm

We are running security check on the journal site. It was found that the URLs

For example,
"https://journals.uair.arizona.edu/index.php/radiocarbon/search/authors "
https://journals.uair.arizona.edu/index ... h/authors~" ( URL with "~" ) will get to the same web page. I assume this is a bug?

Anything knows this happens to your site?
yhan
 
Posts: 30
Joined: Thu Mar 08, 2012 1:57 pm

Re: "~" URL issue

Postby asmecher » Fri Jun 21, 2013 3:08 pm

Hi yhan,

The "page" and "operation" parts of OJS URLs (that's the second and third, respectively, after the index.php part) are sanitized by passing them through the Core::cleanFileFar function, which removes non-alphanumerics. Thus "authors~" is equivalent to "authors". I suppose a 404 might be more appropriate, but this is perfectly safe.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8311
Joined: Wed Aug 10, 2005 12:56 pm

Re: "~" URL issue

Postby duryeek » Mon Jun 24, 2013 12:55 pm

Thanks for the quick reply asmecher,

Unfortunately, the fact that the tilde character (~) can still appear in the URL even after having passed through the cleanFileVar function, prompts a fail response from our campus-wide PCI compliance scan.

Since this is a campus-wide scan, we have to address this issue and come in to compliance even though it is safe behavior in this case.

The specific vulnerability mentioned in the scan is "Backup Files Disclosure"; info here: http://projects.webappsec.org/Predictab ... e-Location .

Is there a way to actually strip the character completely out of the URL?

Thanks again,
Kent Duryée
University of Arizona Libraries
duryeek
 
Posts: 2
Joined: Mon Jun 24, 2013 12:30 pm

Re: "~" URL issue

Postby asmecher » Mon Jun 24, 2013 1:45 pm

Hi Kent,

This is untested but should work. If you edit lib/pkp/classes/core/PKPPageRouter.inc.php and find the line...
Code: Select all
$this->_page = Core::cleanFileVar(is_null($this->_page) ? '' : $this->_page);
...you can add just above it...
Code: Select all
if ("$this->_page" != Core::cleanFileVar("$this->_page")) {
    $dispatcher = $this->getDispatcher();
    $dispatcher->handle404();
}
You can make a similar modification to the line...
Code: Select all
$this->_op = Core::cleanFileVar(empty($this->_op) ? 'index' : $this->_op);
...for a related filtering of special characters.

This should result in special characters in URL page and operation fields being redirected to a 404 page.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8311
Joined: Wed Aug 10, 2005 12:56 pm

Re: "~" URL issue

Postby duryeek » Mon Jun 24, 2013 2:14 pm

Thanks again so much, asmecher. We'll have a go at it with your changes.
duryeek
 
Posts: 2
Joined: Mon Jun 24, 2013 12:30 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: No registered users and 7 guests

cron