Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2932

FormParam splitting may truncate the value of a parameter

    XMLWordPrintable

Details

    Description

      The implementation of the FormUrlEncodedProvider currently does not handle FormParams with plaintext equal signs correctly.
      When the value of a param contains Unicoded equal signs which is correct according to the whatwg spec (https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set), the FormUrlEncodedProvider cuts of everything after the first equal sign.

      In the parse algorithm definition in https://url.spec.whatwg.org/#urlencoded-parsing it is stated, that only the first equal sign in a key value pair is used to split the pair.

      If bytes contains a 0x3D (=), then let name be the bytes from the start of bytes up to but excluding its first 0x3D (=), and let value be the bytes, if any, after the first 0x3D (=) up to the end of bytes.

      This behaviour occurred to me in an angular application which uses the angular HttpClient together with Quarkus using Resteasy. The HttParams object which is used there for form encoding does not encode equal signs and so the value is not properly received in a JAX-RS method using FormParam vaues. I also verified the correct behaviour after the patch in a Quarkus sample project. I can provide that if it is necessary.

      Attachments

        Activity

          People

            jperkins-rhn James Perkins
            jperkins-rhn James Perkins
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: