You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Jonathan Gallimore <jo...@gmail.com> on 2021/11/25 17:42:34 UTC

CXF-8619 - Form parameters double URL decoded

Hi All

I uncovered a scenario when using CXF in TomEE where form parameters were
being double url-decoded.

The case in question is where we have an endpoint like this:

    @POST
    @Path("/form")
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Produces(MediaType.TEXT_PLAIN)
    public Response myWebService(@Context HttpServletRequest request,
@Context HttpServletResponse res, @FormParam("value") String value) {
        LOGGER.info("Value received: " + value);
        return Response.ok(value).build();
    }

and a Servlet filter where request.getParameter() is called:

@WebFilter(urlPatterns = "/api/*")
public class SampleFilter implements Filter {

    private static final Logger LOGGER =
Logger.getLogger(SampleFilter.class.getName());

    @Override
    public void doFilter(final ServletRequest request, final
ServletResponse response, final FilterChain chain) throws IOException,
ServletException {
        final String parameter = request.getParameter("test");
        LOGGER.info("test=" + parameter);

        chain.doFilter(request, response);
    }
}

In this case, the request.getParameter("test"); call in the servlet filter
makes Tomcat consume the request body, and parse the parameters into a map.
When CXF does its processing, the InputStream here:
https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1152
is empty. CXF will get these values using the
request.getParameterNames()/getParameterValue() in this particular case -
but these return the already URL-decoded values. The code here then decodes
these again:
https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1172-L1178

I've created a PR here: https://github.com/apache/cxf/pull/878 for
3.4.x-fixes (happy to port to master too). It would be great to get your
thoughts on this - I'm happy to rework the PR to accommodate feedback.

Many thanks!

Jon