You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/12/02 15:23:00 UTC

[jira] [Work logged] (TOMEE-3818) Double url-decode of form parameters

     [ https://issues.apache.org/jira/browse/TOMEE-3818?focusedWorklogId=689396&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-689396 ]

ASF GitHub Bot logged work on TOMEE-3818:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Dec/21 15:22
            Start Date: 02/Dec/21 15:22
    Worklog Time Spent: 10m 
      Work Description: jgallimore merged pull request #807:
URL: https://github.com/apache/tomee/pull/807


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomee.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 689396)
    Remaining Estimate: 0h
            Time Spent: 10m

> Double url-decode of form parameters
> ------------------------------------
>
>                 Key: TOMEE-3818
>                 URL: https://issues.apache.org/jira/browse/TOMEE-3818
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 8.0.8
>            Reporter: Jonathan Gallimore
>            Assignee: Jonathan Gallimore
>            Priority: Major
>             Fix For: 8.0.9
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Where form parameters are retrieved via HttpServletRequest.getParameter methods ([https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/FormUtils.java#L176-L180)], the key and value are already URL decoded.
>  
> They are then subsequently decoded again: [https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1172-L1178]
>  
> The effect here is that an endpoint like this:
> {code:java}
> @POST
> @Path("/api")
> @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
> @Produces(MediaType.TEXT_PLAIN)
> public Response myWebService(@Context HttpServletRequest request, @Context HttpServletResponse res, @FormParam("p1") String p1) {
>     LOGGER.info("Value received: " + p1);
>     return Response.ok(p1).build();
> }{code}
> if called with a payload of
> p1=hello%2bworld
> would receive "hello world" and not "hello+world".
> A test for this is here: https://github.com/apache/tomee/commit/fdf4ef88b5943cc7556ed1984c2982801b6c2841



--
This message was sent by Atlassian Jira
(v8.20.1#820001)