You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Martin Becker (JIRA)" <ji...@apache.org> on 2018/03/12 14:48:01 UTC

[jira] [Updated] (OFBIZ-10275) UtilCodec URL decoding breaks values with german umlauts

     [ https://issues.apache.org/jira/browse/OFBIZ-10275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Becker updated OFBIZ-10275:
----------------------------------
    Attachment: OFBIZ-10275_UrlCodec_decode_via_URLDecoder.patch

> UtilCodec URL decoding breaks values with german umlauts
> --------------------------------------------------------
>
>                 Key: OFBIZ-10275
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10275
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Martin Becker
>            Priority: Major
>         Attachments: OFBIZ-10275_UrlCodec_decode_via_URLDecoder.patch
>
>
> ...and other UTF-8 characters encoded in two hex. values like in this example:
> {code:java}
> String example = "/webcontent/example_öl.jpg";
> String encoded = UtilCodec.getEncoder("url").encode(example);
> System.out.println(encoded);
> => "%2Fwebcontent%2Fexample_%C3%B6l.jpg"
> String decoded = UtilCodec.getDecoder("url").decode(encoded); System.out.println(decoded);
> => "/webcontent/example_öl.jpg"{code}
>  
> The reason for this is the OWASP ESAPI PercentCodec implementation used within the method UtilCodec.canonicalize, called before the proper decoding via java.net.URLDecoder here:
> {code:java}
> public String decode(String original) {
>     try {
>         String canonical = canonicalize(original);
>         return URLDecoder.decode(canonical, "UTF-8");
>     } catch (UnsupportedEncodingException ee) {
>         Debug.logError(ee, module);
>         return null;
>     }
> }{code}
>  
> The fix could be to only use the canonicalize logic to check the original value for double/mixed encoding and to encode the original value afterwards via URLDecoder instead of using the canonicalize output for this.
>  This way the UrlCodec decode method matches the encode method by only using URLDecoder / URLEncoder for doing the main job.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)