[pve-devel] [PATCH common] fix #5486: tools: encode_text: add '%' to list of encoded characters

[Dominik Csapak]

all text that is going through encode_text will at a later point be
decoded by 'decode_text'. The latter is decoding all percent encoded
characters, even those not originally encoded by 'encode_text'.

This means, to preserve the original data, we first have to at least
percent encode the '%' itself, otherwise it's impossible to properly
store e.g. '%20' there.

It would get saved as '%20' directly, but on the next read, it gets
decoded to ' ', which is not the original data. instead we have to save
it as '%2520', which gets then correctly decoded to '%20' again

This is especially important for the vm/ct/node description, as there
users can store external links, which already include percent encoded
characters.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
AFAICS, we only use this for comment fields + first/lastname in
access-control, so we should be ok here
 src/PVE/Tools.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index 766c809..59cc5c9 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -1246,8 +1246,8 @@ sub upid_normalize_status_type {
 sub encode_text {
     my ($text) = @_;
 
-    # all control and hi-bit characters, and ':'
-    my $unsafe = "^\x20-\x39\x3b-\x7e";
+    # all control and hi-bit characters, ':' and '%'
+    my $unsafe = "^\x20-\x24\x26-\x39\x3b-\x7e";
     return uri_escape(Encode::encode("utf8", $text), $unsafe);
 }
 
-- 
2.39.2