Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
7.0.6, 7.1.1, 8.0.0-M3
-
None
Description
Adding this issue to add an issue number to the PR proposed on Github: https://github.com/apache/tomee/pull/104
A double-decode bug caused URLDecode to be applied twice to parameters passed in
via URL including basic.username and basic.password. The parameters were automatically
decoded by the call to URI.getQuery() then again as each parameter was parsed and added
to the returned Map in MulticastConnectionFactory.URIs.parseQuery(). parseQuery() splits the
query string on the ampersand character then explictly URLDecode's each value. Since
URI.getQuery() had already decoded the basic.password parameter, the splitting process
in parseQuery truncated the password at the first ampersand character.Instead, URI.getRawQuery() should be called to get the still URLEncoded query string. The
splitting and subsequent decoding in parseQuery() then correctly extracts the full password
from the query string.PR contains failing unit test & fix.