Bug 23042: Correct shib param escaping

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
5 years ago · 8a766c2208
5 changed files with 12 additions and 9 deletions
--- a/C4/Auth_with_shibboleth.pm
+++ b/C4/Auth_with_shibboleth.pm
@ -206,12 +206,12 @@ sub _get_return {
        if ($uriPiece) {
            $uri_params_part .= '&' if $uri_params_part;
            $uri_params_part .= $param . '=';
-            $uri_params_part .= URI::Escape::uri_escape( $uriPiece );
+            $uri_params_part .= $uriPiece;
        }
    }
    $uri_base_part .= '%3F' if $uri_params_part;

-    return $uri_base_part . $uri_params_part;
+    return $uri_base_part . URI::Escape::uri_escape_utf8($uri_params_part);
 }

 sub _get_shib_config {
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@ -55,7 +55,7 @@
 [% IF (invalidShibLogin ) %]
 <div id="login_error"><Strong>Error: </strong>Shibboleth login failed</div>
 [% END %]
-<p>If you have a shibboleth account, please <a href="[% shibbolethLoginUrl | url %]">click here</a> to login.</p>
+<p>If you have a shibboleth account, please <a href="[% shibbolethLoginUrl | $raw %]">click here</a> to login.</p>
 [% END %]

 <!-- login prompt time-->
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
@ -344,7 +344,7 @@
                        </div>
                    [% ELSE %]
                        <h4>Shibboleth login</h4>
-                        <p>If you have a Shibboleth account, please <a href="[% shibbolethLoginUrl | url %]">click here to login</a>.</p>
+                        <p>If you have a Shibboleth account, please <a href="[% shibbolethLoginUrl | $raw %]">click here to login</a>.</p>
                        <h4>Local Login</h4>
                    [% END %]
                [% END %]
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
@ -83,7 +83,7 @@
                                    </div>
                            [% ELSE %]
                                <h4>Shibboleth Login</h4>
-                                <p><a href="[% shibbolethLoginUrl | url %]">If you have a Shibboleth account, please click here to log in.</a></p>
+                                <p><a href="[% shibbolethLoginUrl | $raw %]">If you have a Shibboleth account, please click here to log in.</a></p>
                            [% END %]
                            [% IF ( casAuthentication ) %]
                                <h4>CAS login</h4>
--- a/t/Auth_with_shibboleth.t
+++ b/t/Auth_with_shibboleth.t
@ -24,7 +24,8 @@ use Test::MockModule;
 use Test::Warn;
 use File::Temp qw(tempdir);

-use CGI;
+use utf8;
+use CGI qw(-utf8 );
 use C4::Context;

 BEGIN {
@ -128,7 +129,9 @@ subtest "shib_ok tests" => sub {
 subtest "login_shib_url tests" => sub {
    plan tests => 2;

-    my $query_string = 'language=en-GB';
+    my $string = 'language=en-GB&param="heh❤"';
+    my $query_string = Encode::encode('UTF-8', $string);
+    my $query_string_uri_escaped = URI::Escape::uri_escape_utf8('?'.$string);

    local $ENV{REQUEST_METHOD} = 'GET';
    local $ENV{QUERY_STRING}   = $query_string;
@ -138,8 +141,8 @@ subtest "login_shib_url tests" => sub {
        login_shib_url($query),
        'https://testopac.com'
          . '/Shibboleth.sso/Login?target='
-          . 'https://testopac.com/cgi-bin/koha/opac-user.pl' . '%3F'
-          . $query_string,
+          . 'https://testopac.com/cgi-bin/koha/opac-user.pl'
+          . $query_string_uri_escaped,
        "login shib url"
    );