You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Krasimir Malchev (Jira)" <ji...@apache.org> on 2023/04/26 12:03:00 UTC
[jira] [Updated] (HTTPCORE-744) HttpCore 5.2.1 does not correctly handle semi-column (;) and equal sign (=) characters in URI set as Location header.
[ https://issues.apache.org/jira/browse/HTTPCORE-744?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Krasimir Malchev updated HTTPCORE-744:
--------------------------------------
Summary: HttpCore 5.2.1 does not correctly handle semi-column (;) and equal sign (=) characters in URI set as Location header. (was: HttpCore 5.2.1 does not correctly handle semicolumn and equal characters in URI set as Location header.)
> HttpCore 5.2.1 does not correctly handle semi-column (;) and equal sign (=) characters in URI set as Location header.
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: HTTPCORE-744
> URL: https://issues.apache.org/jira/browse/HTTPCORE-744
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore
> Affects Versions: 5.2.1
> Environment: httpclient5, version 5.1.2
> httpcore5, version 5.1.2
> javax.servlet-api, version 3.1.0
> Reporter: Krasimir Malchev
> Priority: Major
> Attachments: Simulation.zip
>
>
> If an http response has an URI in the Location header, which contains special symbols - semi-column (;) and equal sign (=), the URI parser of the underlaying URI builder encodes these symbols to %3B and %3D. Then the redirect will be performed using the encoded URI.
> Real Use Case where the issue is detected with httpcomonents updated from version 4 to 5: SAML Artifact binding in an IDP initiated SSO communication.
> A simple simulation program is attached to demonstrate the problem.
> Test Case: There is a servlet and a client application.
> 1. The client application sends an HTTP GET request to the servlet with URI "http://localhost:8080/test/welcome"
> 2. The servlet receives the request and sends a redirect response with a relative location - /test/httpclient4/welcomeHttpClient
> 2.1. Before sending the response the redirect URL is encoded (by calling the method HttpServletResponse.encodeRedirectURL(String location)).
> 2.2.The latter method adds jsessionid at the end of the new location in accordance to the Java Servlet Specification, section 7.1.3 - URL Rewriting (https://javaee.github.io/servlet-spec/downloads/servlet-3.1/Final/servlet-3_1-final.pdf).
> Therefore the redirect location becomes similar to /test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
> 3. When the response is received the httpclient parses the new location and encodes it to:
> http://localhost:8080/test/httpclient/welcomeHttpClient%3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F
> This is an issue, because the latter URL is redirected at the end with %3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F (i.e. no such endpoint exists). Also jsessionid is not recognized as a path parameter.
> The expected redirect URL is without encoded semi-column and equal sign : http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
> Remarks:
> 1) Note that if the servlet redirects a full URI instead of a relative URI (for example,
> http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F), then
> the httpclient response is properly parsed and the redrect URL has no encoded semi-column and equal sign character.
> 2) If http client 4.5.5 and httpcore 4.4.9 are used, then the described issue is not present! (client application is also attached)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org