"~" URL issue

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
yhan
Posts: 30
Joined: Thu Mar 08, 2012 1:57 pm

"~" URL issue

Postby yhan » Fri Jun 21, 2013 2:52 pm

We are running security check on the journal site. It was found that the URLs

For example,
"https://journals.uair.arizona.edu/index.php/radiocarbon/search/authors "
https://journals.uair.arizona.edu/index ... h/authors~" ( URL with "~" ) will get to the same web page. I assume this is a bug?

Anything knows this happens to your site?

asmecher
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm
Contact:

Re: "~" URL issue

Postby asmecher » Fri Jun 21, 2013 3:08 pm

Hi yhan,

The "page" and "operation" parts of OJS URLs (that's the second and third, respectively, after the index.php part) are sanitized by passing them through the Core::cleanFileFar function, which removes non-alphanumerics. Thus "authors~" is equivalent to "authors". I suppose a 404 might be more appropriate, but this is perfectly safe.

Regards,
Alec Smecher
Public Knowledge Project Team

duryeek
Posts: 2
Joined: Mon Jun 24, 2013 12:30 pm

Re: "~" URL issue

Postby duryeek » Mon Jun 24, 2013 12:55 pm

Thanks for the quick reply asmecher,

Unfortunately, the fact that the tilde character (~) can still appear in the URL even after having passed through the cleanFileVar function, prompts a fail response from our campus-wide PCI compliance scan.

Since this is a campus-wide scan, we have to address this issue and come in to compliance even though it is safe behavior in this case.

The specific vulnerability mentioned in the scan is "Backup Files Disclosure"; info here: http://projects.webappsec.org/Predictab ... e-Location .

Is there a way to actually strip the character completely out of the URL?

Thanks again,
Kent Duryée
University of Arizona Libraries

asmecher
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm
Contact:

Re: "~" URL issue

Postby asmecher » Mon Jun 24, 2013 1:45 pm

Hi Kent,

This is untested but should work. If you edit lib/pkp/classes/core/PKPPageRouter.inc.php and find the line...

Code: Select all

$this->_page = Core::cleanFileVar(is_null($this->_page) ? '' : $this->_page);
...you can add just above it...

Code: Select all

if ("$this->_page" != Core::cleanFileVar("$this->_page")) {
    $dispatcher = $this->getDispatcher();
    $dispatcher->handle404();
}
You can make a similar modification to the line...

Code: Select all

$this->_op = Core::cleanFileVar(empty($this->_op) ? 'index' : $this->_op);
...for a related filtering of special characters.

This should result in special characters in URL page and operation fields being redirected to a 404 page.

Regards,
Alec Smecher
Public Knowledge Project Team

duryeek
Posts: 2
Joined: Mon Jun 24, 2013 12:30 pm

Re: "~" URL issue

Postby duryeek » Mon Jun 24, 2013 2:14 pm

Thanks again so much, asmecher. We'll have a go at it with your changes.


Return to “OJS Technical Support”

Who is online

Users browsing this forum: Bing [Bot] and 1 guest