You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/07/15 16:22:02 UTC
[jira] [Assigned] (ARTEMIS-3388) Encoded acceptor passwords replace
plus + sign with space
[ https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram reassigned ARTEMIS-3388:
---------------------------------------
Assignee: (was: Clebert Suconic)
> Encoded acceptor passwords replace plus + sign with space
> ---------------------------------------------------------
>
> Key: ARTEMIS-3388
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: ActiveMQ-Artemis-Native
> Affects Versions: 2.17.0
> Reporter: Aaron Steigerwald
> Priority: Minor
>
> An encoded acceptor password like keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode method. This causes exceptions like "java.lang.IllegalArgumentException: Illegal base64 character 20" if the SensitiveDataCodec implementation is expecting Base64 characters because a space is not a valid Base64 character .
> This appears to be happening because the string is URL decoded twice. The first time is implicit in the org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls uri.getQuery(), which according to [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The getUserInfo, getPath, getQuery, getFragment, getAuthority, and getSchemeSpecificPart methods +decode+ any escaped octets in their corresponding components. The strings returned by these methods may contain both other characters and illegal characters, and will not contain any escaped octets." The second time is explicit in the org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls URLDecoder.decode(value, "UTF-8").
> The workaround is to replace all spaces with plus + characters in the custom SensitiveDataCodec.decode method. This is safe because the method is expecting only valid Base64 characters and the space character will only exist if it's been converted from a plus + character.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)