Bug #87664
closedfe_login password reset link is double encoded
0%
Description
The link to reset the password in the mail sent to the user has double encoded keys:
The brackets are encoded as %255B and %255D instead of %5B and %5D.
The 2 places where the link is encoded are:
1. \TYPO3\CMS\Felogin\Controller\FrontendLoginController::generateAndSendHash Line 465
$link = $this->pi_getPageLink($this->frontendController->id, '', [
rawurlencode($this->prefixId . '[user]') => $user['uid'],
rawurlencode($this->prefixId . '[forgothash]') => $randHash
]);
2. \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getTypoLink Line 5573
if (is_array($urlParameters)) {
if (!empty($urlParameters)) {
$conf['additionalParams'] .= HttpUtility::buildQueryString($urlParameters, '&');
}
} else {
$conf['additionalParams'] .= $urlParameters;
}
This results in a link like:
https://www.domain.com/passwort-reset?tx_felogin_pi1%255Bforgothash%255D=1549484728%7Cd6227774d0afb681a4545755636cc779&tx_felogin_pi1%255Buser%255D=12345&cHash=dc1119c6ac03edaa552a1bb3b5100ed6
instead of
https://www.domain.com/passwort-reset?tx_felogin_pi1%5Bforgothash%5D=1549484755%7Cc4bae072f8d1befd832a75bcb2553905&tx_felogin_pi1%5Buser%5D=12345&cHash=605d05836ede389d767bc518a8c2cfea
I think the rawurlencode of the keys in the FrontendController is superfluous.