#2656 (ok 3.0.1) ForceSSL generates incorrect redirections

[Anders Kaseorg]

When ForceSSL is turned on, a URL like
http://server/phpMyAdmin/
is redirected to
https://server/phpMyAdmin/?collation_connection=utf8_unicode_ci&token=...

This is incorrect: the URL should contain & and not &amp;. The &amp; encoding is only used for embedding the URL into an HTML document. It should never be treated as part of the URL itself. The &amp; should be generated with htmlspecialchars() at the time that a tag like <a href="..."> is generated.

[Marc Delisle]

Suggested patch (for trunk):
Index: libraries/common.inc.php
===================================================================
--- libraries/common.inc.php (revision 11614)
+++ libraries/common.inc.php (copie de travail)
@@ -539,7 +539,7 @@
PMA_sendHeaderLocation(
preg_replace('/^http/', 'https',
$_SESSION['PMA_Config']->get('PmaAbsoluteUri'))
- . PMA_generate_common_url($_GET));
+ . PMA_generate_common_url($_GET, '', '&'));
exit;
}

[Marc Delisle]

Fixed in subversion, thanks for reporting.

[Glenn]

The suggested patch contains an error.

The line containing the call to PMA_generate_common_url() should be

. PMA_generate_common_url($_GET, '', '?'));

to force non-html url generation with '&' separators.

The third argument becomes ($args[2] in PMA_generate_common_url() and overrides the default value of $questionmark in that function. Passing '&' for the third argument is incorrect in this context, as the query string must begin with '?' not '&'.

[Marc Delisle]

The doc for this function was not clear, I'll clarify it. But the correct calling is
PMA_generate_common_url($_GET, '&');
because first parameter is an array.

[Marc Delisle]

New fix:

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=11636

[Marc Delisle]

And removing a typo in previous fix!

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=11637

[Glenn]

Well, yes, but not the best practice. The call

PMA_generate_common_url($_GET, '&');

will work, but not because the second argument is '&'. Using '&' as the second argument implies it sets '&' as the literal separator character. A better call would be

PMA_generate_common_url($_GET, '');

or anything other than 'html' for the second argument. The second argument becomes $args[1] in the function. If present it sets the value for $encode, preventing 'html' from being set by default. If $encode == 'html', the result is passed through htmlspecialchars(). Using '&' as the second argument only works because it is an arbitrary value other than 'html'. However, calling the function that way implies that the second argument forces the literal character '&' as the separator, and that isn't how the function actually works. The function provides no ability to override the separator character through its arguments, only whether or not it is passed through htmlspecialchars().

[Marc Delisle]

Thanks for your comments. I think the best call would be this one:

PMA_generate_common_url($_GET, 'text');

with a change to the comments for second parameter, agreed?