src: add portable url_safe() like we have exec_safe(); closes #1068

2026-03-14 00:24:40 +00:00 · 2016-08-22 08:16:38 +02:00 · 2016-08-22 08:16:38 +02:00 · 35ec2adc3a
commit 35ec2adc3a
parent ed4a3335fe
3 changed files with 26 additions and 11 deletions
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@ -988,6 +988,21 @@ function log_error($error)
    syslog(LOG_ERR, "$page: $error");
 }

+function url_safe($format, $args = array())
+{
+    if (!is_array($args)) {
+        /* just in case there's only one argument */
+        $args = array($args);
+    }
+
+    foreach ($args as $id => $arg) {
+        $args[$id] = urlencode($arg);
+    }
+
+    return vsprintf($format, $args);
+}
+
+
 /****f* util/exec_command
 * NAME
 *   exec_command - Execute a command and return a string of the result.
--- a/src/www/system_usermanager.php
+++ b/src/www/system_usermanager.php
@ -173,7 +173,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($a_user[$id]);
            write_config();
            $savemsg = sprintf(gettext('The user "%s" was successfully removed.'), $userdeleted);
-            header("Location: system_usermanager.php?savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?savemsg=%s', $savemsg));
            exit;
        }
    } elseif ($act == "delcert" && isset($id)) {
@ -183,7 +183,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        unset($a_user[$id]['cert'][$pconfig['certid']]);
        write_config();
        $savemsg = sprintf(gettext('The certificate association "%s" was successfully removed.'), $certdeleted);
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
        exit;
    } elseif ($act == "newApiKey" && isset($id)) {
        // every action is using the sequence of the user, to keep it understandable, we will use
@ -209,7 +209,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $savemsg = gettext('No API key found');
        }
        // redirect
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
        exit;
    } elseif (isset($pconfig['save'])) {
        // save user
@ -347,17 +347,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {

            if (!empty($pconfig['chkNewCert'])) {
                // redirect to cert manager when a new cert is requested for this user
-                header("Location: system_certmanager.php?act=new&userid=".(count($a_user)-1));
+                header(url_safe('Location: system_certmanager.php?act=new&userid=%s', count($a_user) - 1));
            } else {
-                header("Location: system_usermanager.php");
+                header(url_safe('Location: system_usermanager.php'));
                exit;
            }
        }
    } elseif (isset($id)) {
-        header("Location: system_usermanager.php?userid=".$id);
+        header(url_safe('Location: system_usermanager.php?userid=%s', $id));
        exit;
    } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
        exit;
    }
 }
--- a/src/www/system_usermanager_addprivs.php
+++ b/src/www/system_usermanager_addprivs.php
@ -52,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $input_type = "group";
        $id = $_GET['groupid'];
    } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
        exit;
    }
    if ($input_type == "group") {
@ -80,7 +80,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $retval = write_config();
            $savemsg = get_std_save_message();

-            header("Location: system_usermanager.php?act=edit&userid=".$userid."&savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?act=edit&userid=%s&savemsg=%s', array($userid, $savemsg)));
            exit;
        } elseif ($_POST['input_type'] == 'group' && isset($config['system']['group'][$pconfig['id']]['name'])) {
            $groupid = $_POST['id'];
@ -101,11 +101,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            }

            write_config();
-            header("Location: system_groupmanager.php?act=edit&groupid={$groupid}");
+            header(url_safe('Location: system_groupmanager.php?act=edit&groupid=%s', $groupid));
            exit;
        }
    }
-    header("Location: system_usermanager.php");
+    header(url_safe('Location: system_usermanager.php'));
    exit;
 }