Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6606

Encoded characters in URI are decoded multiple times during preprocess

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 3.1.3, 2.7.18, 3.0.7
    • Component/s: JAX-RS
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      When given a url like /api/%255E/users.json, RequestPreprocessor#preprocess first does handleExtensionMappings, which creates a PathSegmentImpl with a single arg constructor, decoding the path. The path on Message is set to the decoded path with a call to updatePath if the .json extension was found within the extension mappings. Back in RequestPreprocessor#preprocess, the path returned will be decoded again within the call to UriInfoImpl#getPath.

      This causes the %255E in the path to be decoded the first time as %5E, then the second time as ^.

      I believe this could be fixed by constructing PathSegment within handleLanguageMappings and handleExtensionMappings with a second false argument.

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              tylerbrazier Tyler Brazier
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: