Code Fix: Security improvement form and view parameters values.

  • 16 February 2021
  • 0 replies
  • 6 views

 

Code Fix: Security improvement form and view parameters values.

KB003406

PRODUCT
K2 Five 5.3
K2 Five (5.3) Fix Pack 28

 

Issue Description

After installing K2 5.3 FP 6, form and view parameters values were URL decoded twice. This caused functional issues depending on the form or views designed with parameters and impacted security. In workflows the user tasks did not correctly URL encode the worklist item URL’s parameters if the parameter value contained special characters such as &, / and ?. Certain special characters like % and £ were also incorrectly double URL encoded.

Resolution

The fix is available in the following K2 versions:

K2 4.7 March 2018 Cumulative Update K2 Five (5.0) September 2018 Cumulative Update K2 Five (5.1) November 2018 Cumulative Update K2 Five (5.2) May 2019 Cumulative Update K2 Five (5.3)
X X X X Fix Pack 28
    1. Ensure you have the correct K2 version and/or Cumulative Update installed. See KB001893 to see what Fix Pack level you have installed.
    2. Download the latest Fix Pack using the links in the table above for the version you require.
    3. Install the Fix Pack to apply the fix.
    4. It is recommended to refresh the browser cache.

Considerations

K2 5.3 Fix Pack 6 contained a fix described in https://help.k2.com/kb003222, note that after installing Fix Pack 28 your running instances containing the Pound symbol will no longer be decoded correctly. To workaround this issue start a new instance of the workflow to obtain the correct decoding, or contact support for a script that updates all running instances in the K2 Database.

 


0 replies

Be the first to reply!

Reply