-
Enhancement
-
Resolution: Done
-
Major
-
2.0.21.Final
-
None
Undertow is less lenient for a bad POST parameter compared to EAP 6/JBossWeb and Tomcat. If the request contains a bad parameter with a value of '%', then the
request fails with a StringIndexOutOfBoundsException:
java.lang.StringIndexOutOfBoundsException: String index out of range: 1 at java.lang.String.charAt(String.java:658) at io.undertow.util.URLUtils.decode(URLUtils.java:132) at io.undertow.util.URLUtils.decode(URLUtils.java:78) at io.undertow.server.handlers.form.FormEncodedDataDefinition$FormEncodedDataParser.doParse(FormEncodedDataDefinition.java:186) at io.undertow.server.handlers.form.FormEncodedDataDefinition$FormEncodedDataParser.parseBlocking(FormEncodedDataDefinition.java:252) at io.undertow.servlet.spec.HttpServletRequestImpl.parseFormData(HttpServletRequestImpl.java:832) at io.undertow.servlet.spec.HttpServletRequestImpl.getParameterMap(HttpServletRequestImpl.java:785)
EAP 6 and Tomcat ignore the problem parameter and just log a message like below, so all other parameters can be handled successfully still for a 200 response:
INFO [http-nio-8080-exec-1] org.apache.tomcat.util.http.Parameters.processParameters Character decoding failed. Parameter [test1] with value [%] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
Note: further occurrences of Parameter errors will be logged at DEBUG level.
Can Undertow be improved to be more lenient in this case like EAP 6/Tomcat?
- is cloned by
-
JBEAP-17009 [GSS](7.2.z) UNDERTOW-1554 - Improve handling and leniency of bad POST parameters
- Closed
- is incorporated by
-
WFCORE-4641 Upgrade Undertow to 2.0.26.Final
- Closed