c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #11205
[Bug 698036] Re: [6.0] doubly urlencoded GET statements in webclient
** Project changed: openobject-addons => openobject-client-web
** Changed in: openobject-client-web
Importance: Undecided => Low
** Changed in: openobject-client-web
Status: New => Confirmed
** Changed in: openobject-client-web
Assignee: (unassigned) => OpenERP SA's Web Client R&D (openerp-dev-web)
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/698036
Title:
[6.0] doubly urlencoded GET statements in webclient
Status in OpenObject Web Client:
Confirmed
Bug description:
In Sales -> Calendar -> (Calender), the statement that calls this page is urlencoded partly twice:
This is the request, before uri_decode:
https://openerp3.somewhere/openerp/menu?active=71&next=%2Fopenerp%2Fexecute%3Faction%3D%257B%2522groups_id%2522%253A%2B%255B%255D%252C%2B%2522domain%2522%253A%2Bfalse%252C%2B%2522help%2522%253A%2Bfalse%252C%2B%2522view_type%2522%253A%2B%2522form%2522%252C%2B%2522auto_search%2522%253A%2Btrue%252C%2B%2522res_model%2522%253A%2B%2522mailgate.message%2522%252C%2B%2522view_id%2522%253A%2Bfalse%252C%2B%2522search_view_id%2522%253A%2B%255B213%252C%2B%2522mailgate.message.search%2522%255D%252C%2B%2522auto_refresh%2522%253A%2B0%252C%2B%2522view_mode%2522%253A%2B%2522tree%252Cform%2522%252C%2B%2522view_ids%2522%253A%2B%255B%255D%252C%2B%2522id%2522%253A%2B105%252C%2B%2522target%2522%253A%2B%2522current%2522%252C%2B%2522opened%2522%253A%2Btrue%252C%2B%2522multi%2522%253A%2Bfalse%252C%2B%2522name%2522%253A%2B%2522Nachrichten%2522%252C%2B%2522menus%2522%253A%2Bfalse%252C%2B%2522views%2522%253A%2B%255B%255Bfalse%252C%2B%2522tree%2522%255D%252C%2B%255Bfalse%252C%2B%2522form%2522%255D%255D%252C%2B%2522filter%2522%253A%2Bfalse%252C%2B%2522src_model%2522%253A%2Bfalse%252C%2B%2522display_menu_tip%2522%253A%2Bfalse%252C%2B%2522limit%2522%253A%2B80%252C%2B%2522context%2522%253A%2B%2522%257B%257D%2522%252C%2B%2522usage%2522%253A%2Bfalse%252C%2B%2522type%2522%253A%2B%2522ir.actions.act_window%2522%257D%26data%3D%257B%2522context%2522%253A%2B%257B%2522lang%2522%253A%2B%2522de_CH%2522%252C%2B%2522tz%2522%253A%2Bfalse%252C%2B%2522section_id%2522%253A%2Bfalse%252C%2B%2522client%2522%253A%2B%2522web%2522%252C%2B%2522project_id%2522%253A%2Bfalse%252C%2B%2522department_id%2522%253A%2Bfalse%257D%252C%2B%2522model%2522%253A%2B%2522ir.ui.menu%2522%252C%2B%2522id%2522%253A%2B108%252C%2B%2522report_type%2522%253A%2B%2522pdf%2522%252C%2B%2522ids%2522%253A%2B%255B108%255D%257D#url=%2Fopenerp%2Fexecute%3Faction%3D%257B%2522groups_id%2522%253A%2B%255B%255D%252C%2B%2522domain%2522%253A%2Bfalse%252C%2B%2522help%2522%253A%2B%2522Der%2BTerminkalender%2Bsteht%2Ballen%2BMitgliedern%2Beines%2BVertriebsteams%2Bzur%2BVerf%255Cu00fcgung%2Bund%2Bintegriert%2Bvollst%255Cu00e4ndig%2Bandere%2BAnwendungen%2Bwie%2BUrlaubszeitverwaltung%2Bund%2BVerkaufsterminen.%2BSie%2Bk%255Cu00f6nnen%2Bausserdem%2Bdie%2BTermine%2BIhres%2BVertriebs%2B%255Cu00fcber%2BCalDav%2Bmit%2BIhrem%2BMobiltelefon%2Babgleichen.%2522%252C%2B%2522view_type%2522%253A%2B%2522form%2522%252C%2B%2522auto_search%2522%253A%2Btrue%252C%2B%2522res_model%2522%253A%2B%2522crm.meeting%2522%252C%2B%2522view_id%2522%253A%2B%255B549%252C%2B%2522CRM%2B-%2BMeetings%2BCalendar%2522%255D%252C%2B%2522search_view_id%2522%253A%2B%255B551%252C%2B%2522CRM%2B-%2BMeetings%2BSearch%2522%255D%252C%2B%2522auto_refresh%2522%253A%2B0%252C%2B%2522view_mode%2522%253A%2B%2522calendar%252Ctree%252Cform%252Cgantt%2522%252C%2B%2522view_ids%2522%253A%2B%255B40%252C%2B43%252C%2B41%252C%2B42%255D%252C%2B%2522id%2522%253A%2B345%252C%2B%2522target%2522%253A%2B%2522current%2522%252C%2B%2522opened%2522%253A%2Btrue%252C%2B%2522multi%2522%253A%2Bfalse%252C%2B%2522name%2522%253A%2B%2522Terminkalender%2522%252C%2B%2522menus%2522%253A%2Bfalse%252C%2B%2522views%2522%253A%2B%255B%255B549%252C%2B%2522calendar%2522%255D%252C%2B%255B550%252C%2B%2522gantt%2522%255D%252C%2B%255B548%252C%2B%2522tree%2522%255D%252C%2B%255B547%252C%2B%2522form%2522%255D%255D%252C%2B%2522filter%2522%253A%2Bfalse%252C%2B%2522src_model%2522%253A%2Bfalse%252C%2B%2522display_menu_tip%2522%253A%2Bfalse%252C%2B%2522limit%2522%253A%2B80%252C%2B%2522context%2522%253A%2B%2522%257B%255C%2522search_default_user_id%255C%2522%253Auid%252C%2B%2527search_default_section_id%2527%253A%2Bsection_id%257D%2522%252C%2B%2522usage%2522%253A%2Bfalse%252C%2B%2522type%2522%253A%2B%2522ir.actions.act_window%2522%257D%26data%3D%257B%2522context%2522%253A%2B%257B%2522lang%2522%253A%2B%2522de_CH%2522%252C%2B%2522tz%2522%253A%2Bfalse%252C%2B%2522section_id%2522%253A%2Bfalse%252C%2B%2522search_default_section_id%2522%253A%2Bfalse%252C%2B%2522search_default_user_id%2522%253A%2B4%252C%2B%2522client%2522%253A%2B%2522web%2522%252C%2B%2522project_id%2522%253A%2Bfalse%252C%2B%2522department_id%2522%253A%2Bfalse%257D%252C%2B%2522model%2522%253A%2B%2522ir.ui.menu%2522%252C%2B%2522id%2522%253A%2B260%252C%2B%2522report_type%2522%253A%2B%2522pdf%2522%252C%2B%2522ids%2522%253A%2B%255B260%255D%257D
after one uri_decode:
https://openerp3.somewhere/openerp/menu?active=71&next=/openerp/execute?action=%7B%22groups_id%22%3A+%5B%5D%2C+%22domain%22%3A+false%2C+%22help%22%3A+false%2C+%22view_type%22%3A+%22form%22%2C+%22auto_search%22%3A+true%2C+%22res_model%22%3A+%22mailgate.message%22%2C+%22view_id%22%3A+false%2C+%22search_view_id%22%3A+%5B213%2C+%22mailgate.message.search%22%5D%2C+%22auto_refresh%22%3A+0%2C+%22view_mode%22%3A+%22tree%2Cform%22%2C+%22view_ids%22%3A+%5B%5D%2C+%22id%22%3A+105%2C+%22target%22%3A+%22current%22%2C+%22opened%22%3A+true%2C+%22multi%22%3A+false%2C+%22name%22%3A+%22Nachrichten%22%2C+%22menus%22%3A+false%2C+%22views%22%3A+%5B%5Bfalse%2C+%22tree%22%5D%2C+%5Bfalse%2C+%22form%22%5D%5D%2C+%22filter%22%3A+false%2C+%22src_model%22%3A+false%2C+%22display_menu_tip%22%3A+false%2C+%22limit%22%3A+80%2C+%22context%22%3A+%22%7B%7D%22%2C+%22usage%22%3A+false%2C+%22type%22%3A+%22ir.actions.act_window%22%7D&data=%7B%22context%22%3A+%7B%22lang%22%3A+%22de_CH%22%2C+%22tz%22%3A+false%2C+%22section_id%22%3A+false%2C+%22client%22%3A+%22web%22%2C+%22project_id%22%3A+false%2C+%22department_id%22%3A+false%7D%2C+%22model%22%3A+%22ir.ui.menu%22%2C+%22id%22%3A+108%2C+%22report_type%22%3A+%22pdf%22%2C+%22ids%22%3A+%5B108%5D%7D#url=/openerp/execute?action=%7B%22groups_id%22%3A+%5B%5D%2C+%22domain%22%3A+false%2C+%22help%22%3A+%22Der+Terminkalender+steht+allen+Mitgliedern+eines+Vertriebsteams+zur+Verf%5Cu00fcgung+und+integriert+vollst%5Cu00e4ndig+andere+Anwendungen+wie+Urlaubszeitverwaltung+und+Verkaufsterminen.+Sie+k%5Cu00f6nnen+ausserdem+die+Termine+Ihres+Vertriebs+%5Cu00fcber+CalDav+mit+Ihrem+Mobiltelefon+abgleichen.%22%2C+%22view_type%22%3A+%22form%22%2C+%22auto_search%22%3A+true%2C+%22res_model%22%3A+%22crm.meeting%22%2C+%22view_id%22%3A+%5B549%2C+%22CRM+-+Meetings+Calendar%22%5D%2C+%22search_view_id%22%3A+%5B551%2C+%22CRM+-+Meetings+Search%22%5D%2C+%22auto_refresh%22%3A+0%2C+%22view_mode%22%3A+%22calendar%2Ctree%2Cform%2Cgantt%22%2C+%22view_ids%22%3A+%5B40%2C+43%2C+41%2C+42%5D%2C+%22id%22%3A+345%2C+%22target%22%3A+%22current%22%2C+%22opened%22%3A+true%2C+%22multi%22%3A+false%2C+%22name%22%3A+%22Terminkalender%22%2C+%22menus%22%3A+false%2C+%22views%22%3A+%5B%5B549%2C+%22calendar%22%5D%2C+%5B550%2C+%22gantt%22%5D%2C+%5B548%2C+%22tree%22%5D%2C+%5B547%2C+%22form%22%5D%5D%2C+%22filter%22%3A+false%2C+%22src_model%22%3A+false%2C+%22display_menu_tip%22%3A+false%2C+%22limit%22%3A+80%2C+%22context%22%3A+%22%7B%5C%22search_default_user_id%5C%22%3Auid%2C+%27search_default_section_id%27%3A+section_id%7D%22%2C+%22usage%22%3A+false%2C+%22type%22%3A+%22ir.actions.act_window%22%7D&data=%7B%22context%22%3A+%7B%22lang%22%3A+%22de_CH%22%2C+%22tz%22%3A+false%2C+%22section_id%22%3A+false%2C+%22search_default_section_id%22%3A+false%2C+%22search_default_user_id%22%3A+4%2C+%22client%22%3A+%22web%22%2C+%22project_id%22%3A+false%2C+%22department_id%22%3A+false%7D%2C+%22model%22%3A+%22ir.ui.menu%22%2C+%22id%22%3A+260%2C+%22report_type%22%3A+%22pdf%22%2C+%22ids%22%3A+%5B260%5D%7D
You notice that a lot is still encoded.
After second usri_decode:
https://openerp3.somewhere/openerp/menu?active=71&next=/openerp/execute?action={"groups_id":+[],+"domain":+false,+"help":+false,+"view_type":+"form",+"auto_search":+true,+"res_model":+"mailgate.message",+"view_id":+false,+"search_view_id":+[213,+"mailgate.message.search"],+"auto_refresh":+0,+"view_mode":+"tree,form",+"view_ids":+[],+"id":+105,+"target":+"current",+"opened":+true,+"multi":+false,+"name":+"Nachrichten",+"menus":+false,+"views":+[[false,+"tree"],+[false,+"form"]],+"filter":+false,+"src_model":+false,+"display_menu_tip":+false,+"limit":+80,+"context":+"{}",+"usage":+false,+"type":+"ir.actions.act_window"}&data={"context":+{"lang":+"de_CH",+"tz":+false,+"section_id":+false,+"client":+"web",+"project_id":+false,+"department_id":+false},+"model":+"ir.ui.menu",+"id":+108,+"report_type":+"pdf",+"ids":+[108]}#url=/openerp/execute?action={"groups_id":+[],+"domain":+false,+"help":+"Der+Terminkalender+steht+allen+Mitgliedern+eines+Vertriebsteams+zur+Verf\u00fcgung+und+integriert+vollst\u00e4ndig+andere+Anwendungen+wie+Urlaubszeitverwaltung+und+Verkaufsterminen.+Sie+k\u00f6nnen+ausserdem+die+Termine+Ihres+Vertriebs+\u00fcber+CalDav+mit+Ihrem+Mobiltelefon+abgleichen.",+"view_type":+"form",+"auto_search":+true,+"res_model":+"crm.meeting",+"view_id":+[549,+"CRM+-+Meetings+Calendar"],+"search_view_id":+[551,+"CRM+-+Meetings+Search"],+"auto_refresh":+0,+"view_mode":+"calendar,tree,form,gantt",+"view_ids":+[40,+43,+41,+42],+"id":+345,+"target":+"current",+"opened":+true,+"multi":+false,+"name":+"Terminkalender",+"menus":+false,+"views":+[[549,+"calendar"],+[550,+"gantt"],+[548,+"tree"],+[547,+"form"]],+"filter":+false,+"src_model":+false,+"display_menu_tip":+false,+"limit":+80,+"context":+"{\"search_default_user_id\":uid,+'search_default_section_id':+section_id}",+"usage":+false,+"type":+"ir.actions.act_window"}&data={"context":+{"lang":+"de_CH",+"tz":+false,+"section_id":+false,+"search_default_section_id":+false,+"search_default_user_id":+4,+"client":+"web",+"project_id":+false,+"department_id":+false},+"model":+"ir.ui.menu",+"id":+260,+"report_type":+"pdf",+"ids":+[260]}
So this is definitly something fishy.
References
