-
Bug
-
Resolution: Done
-
Major
-
7.2.1.GA
Undertow is less lenient for a bad POST parameter compared to EAP 6/JBossWeb and Tomcat. If the request contains a bad parameter with a value of '%', then the
request fails with a StringIndexOutOfBoundsException:
java.lang.StringIndexOutOfBoundsException: String index out of range: 1 at java.lang.String.charAt(String.java:658) at io.undertow.util.URLUtils.decode(URLUtils.java:132) at io.undertow.util.URLUtils.decode(URLUtils.java:78) at io.undertow.server.handlers.form.FormEncodedDataDefinition$FormEncodedDataParser.doParse(FormEncodedDataDefinition.java:186) at io.undertow.server.handlers.form.FormEncodedDataDefinition$FormEncodedDataParser.parseBlocking(FormEncodedDataDefinition.java:252) at io.undertow.servlet.spec.HttpServletRequestImpl.parseFormData(HttpServletRequestImpl.java:832) at io.undertow.servlet.spec.HttpServletRequestImpl.getParameterMap(HttpServletRequestImpl.java:785)
EAP 6 and Tomcat ignore the problem parameter and just log a message like below, so all other parameters can be handled successfully still for a 200 response:
INFO [http-nio-8080-exec-1] org.apache.tomcat.util.http.Parameters.processParameters Character decoding failed. Parameter [test1] with value [%] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
Note: further occurrences of Parameter errors will be logged at DEBUG level.
Can Undertow be improved to be more lenient in this case like EAP 6/Tomcat?
- clones
-
UNDERTOW-1554 Improve handling and leniency of bad POST parameters
-
- Resolved
-
- is incorporated by
-
JBEAP-17631 [GSS](7.2.z) Upgrade Undertow from 2.0.25.SP1 to 2.0.26.SP3
-
- Closed
-
