Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
1.3.23.Final
-
None
Description
The RoutingHandler does not decode escaped slashes (%2F) in extracted path elements. This means that corrupt data is delivered to the application if it contains slashes and is sent in the URL path.
Unfortunately, the RoutingHandler does decode encoded percent % characters. This means that it is impossible for the application to work around the failed parsing, because a decoded path element can contain the characters %2F if an encoded percent character is followed by 2F.
Setting the ALLOW_ENCODED_SLASH option to true makes Undertow decode the encoded slash character before splitting the path into elements (incorrect behaviour), and results in Undertow splitting the path into too many elements.
It's hard to write ones own routing, because HttpServerExchange::getRequestPath method decodes escapes but returns a string, not a list of path elements, meaning that the path cannot be parsed correctly. Adding a method that returns the un-decoded path would help applications implement their own routing.