[TOMEE-3818] Double url-decode of form parameters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 8.0.8
Fix Version/s: 8.0.9
Component/s: None
Labels:
None

Description

Where form parameters are retrieved via HttpServletRequest.getParameter methods (https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/FormUtils.java#L176-L180), the key and value are already URL decoded.

They are then subsequently decoded again: https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1172-L1178

The effect here is that an endpoint like this:

@POST
@Path("/api")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
public Response myWebService(@Context HttpServletRequest request, @Context HttpServletResponse res, @FormParam("p1") String p1) {
    LOGGER.info("Value received: " + p1);
    return Response.ok(p1).build();
}

if called with a payload of

p1=hello%2bworld

would receive "hello world" and not "hello+world".

A test for this is here: https://github.com/apache/tomee/commit/fdf4ef88b5943cc7556ed1984c2982801b6c2841

Attachments

Issue Links

links to

GitHub Pull Request #807

Activity

People

Assignee:: Jonathan Gallimore

Reporter:: Jonathan Gallimore

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Nov/21 17:44

Updated:: 06/Dec/21 11:20

Resolved:: 06/Dec/21 11:20

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10m