Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2206

IAE trying to decode a requestPath

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.3.1.Final, 2.2.22.Final
    • 2.2.21.Final
    • Core
    • None

      Upgrading our project from `2.2.0.Final` to `2.2.21.Final` led one of our smoke test to fail with the following:

      java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 0 in: "&("
      	at java.base/java.net.URLDecoder.decode(URLDecoder.java:232) ~[na:na]
      	at java.base/java.net.URLDecoder.decode(URLDecoder.java:142) ~[na:na]
      	at io.undertow.servlet.spec.HttpServletRequestImpl.decodeURL(HttpServletRequestImpl.java:297) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.spec.HttpServletRequestImpl.getServletPath(HttpServletRequestImpl.java:432) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.DefaultServlet.getPath(DefaultServlet.java:394) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.DefaultServlet.doGet(DefaultServlet.java:150) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:497) ~[jakarta.servlet-api-4.0.4.jar:4.0.4]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:584) ~[jakarta.servlet-api-4.0.4.jar:4.0.4]
      	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.24-SNAPSHOT.jar:5.3.24-SNAPSHOT]
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.24-SNAPSHOT.jar:5.3.24-SNAPSHOT]
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100) ~[undertow-servlet-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:391) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852) ~[undertow-core-2.2.21.Final.jar:2.2.21.Final]
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-3.1.0.Final.jar:3.1.0.Final]
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019) ~[jboss-threads-3.1.0.Final.jar:3.1.0.Final]
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558) ~[jboss-threads-3.1.0.Final.jar:3.1.0.Final]
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1423) ~[jboss-threads-3.1.0.Final.jar:3.1.0.Final]
      	at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.7.Final.jar:3.8.7.Final]
      	at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
      
      

      The test is doing a GET on /nested-reserved-%21%23%24%25%26%28%29%2A%2B%2C%3A%3D%3F%40%5B%5D-meta-inf-resource.txt.

      I believe the change in this commit makes it so that URLDecoder.decode is invoked on the decoded path as returned by HttpServletRequestImpl#getServletPath, that is /nested-reserved-!#$%&()*+,:=?@[]-meta-inf-resource.txt.

              rhn-support-rmartinc Ricardo Martin Camarero
              stephane.nicoll Stéphane Nicoll (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: