You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Jonathan Gallimore <jo...@gmail.com> on 2021/11/25 17:42:34 UTC
CXF-8619 - Form parameters double URL decoded
Hi All
I uncovered a scenario when using CXF in TomEE where form parameters were
being double url-decoded.
The case in question is where we have an endpoint like this:
@POST
@Path("/form")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
public Response myWebService(@Context HttpServletRequest request,
@Context HttpServletResponse res, @FormParam("value") String value) {
LOGGER.info("Value received: " + value);
return Response.ok(value).build();
}
and a Servlet filter where request.getParameter() is called:
@WebFilter(urlPatterns = "/api/*")
public class SampleFilter implements Filter {
private static final Logger LOGGER =
Logger.getLogger(SampleFilter.class.getName());
@Override
public void doFilter(final ServletRequest request, final
ServletResponse response, final FilterChain chain) throws IOException,
ServletException {
final String parameter = request.getParameter("test");
LOGGER.info("test=" + parameter);
chain.doFilter(request, response);
}
}
In this case, the request.getParameter("test"); call in the servlet filter
makes Tomcat consume the request body, and parse the parameters into a map.
When CXF does its processing, the InputStream here:
https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1152
is empty. CXF will get these values using the
request.getParameterNames()/getParameterValue() in this particular case -
but these return the already URL-decoded values. The code here then decodes
these again:
https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/JAXRSUtils.java#L1172-L1178
I've created a PR here: https://github.com/apache/cxf/pull/878 for
3.4.x-fixes (happy to port to master too). It would be great to get your
thoughts on this - I'm happy to rework the PR to accommodate feedback.
Many thanks!
Jon