Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27014

[GSS](7.4.z) UNDERTOW-2383 - Canonicalized query string in redirect location can break included links

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.4.18.CR1, 7.4.18.GA
    • 7.4.16.GA
    • Undertow
    • None

      For a relative redirect, any query string included in the location is now also canonicalized as a result of UNDERTOW-1308. This breaks any URL links potentially in the query values as any // is reduced to just /. But the RFC does suggest we should expect such a potential query value so perhaps we should not canonicalize any query string on the redirect?

      However, as query components
         are often used to carry identifying information in the form of
         "key=value" pairs and one frequently used value is a reference to
         another URI, it is sometimes better for usability to avoid percent-
         encoding those characters.
      

      To reproduce, deploy the redirect.war and attempt a request like this and note the returned location header without the // value:

      curl -v localhost:8080/redirect/redirect.jsp?link=http://localhost/test 
      

              rhn-support-aogburn Aaron Ogburn
              rhn-support-aogburn Aaron Ogburn
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: