You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Aaron Steigerwald (Jira)" <ji...@apache.org> on 2021/07/15 20:19:00 UTC

[jira] [Commented] (ARTEMIS-3388) URI query values decoded twice

    [ https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381572#comment-17381572 ] 

Aaron Steigerwald commented on ARTEMIS-3388:
--------------------------------------------

Yes, I see your point. For whatever reason Artemis doesn't currently have a problem with any other character in that string, only the + sign. I'll encode the other characters in the future if I must. Thanks!

> URI query values decoded twice
> ------------------------------
>
>                 Key: ARTEMIS-3388
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.17.0
>            Reporter: Aaron Steigerwald
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> An encoded acceptor password like keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode method. This causes exceptions like "java.lang.IllegalArgumentException: Illegal base64 character 20" if the SensitiveDataCodec implementation is expecting Base64 characters because a space is not a valid Base64 character .
> This appears to be happening because the string is URL decoded twice. The first time is implicit in the org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls uri.getQuery(), which according to [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The getUserInfo, getPath, getQuery, getFragment, getAuthority, and getSchemeSpecificPart methods +decode+ any escaped octets in their corresponding components. The strings returned by these methods may contain both other characters and illegal characters, and will not contain any escaped octets." The second time is explicit in the org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls URLDecoder.decode(value, "UTF-8").
> The workaround is to replace all spaces with plus + characters in the custom SensitiveDataCodec.decode method. This is safe because the method is expecting only valid Base64 characters and the space character will only exist if it's been converted from a plus + character.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)