Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-744

RoutingHandler does not decode URL path elements correctly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 1.3.23.Final
    • Core
    • None
    • Hide

      See attached JUnit test

      Show
      See attached JUnit test

      The RoutingHandler does not decode escaped slashes (%2F) in extracted path elements. This means that corrupt data is delivered to the application if it contains slashes and is sent in the URL path.

      Unfortunately, the RoutingHandler does decode encoded percent % characters. This means that it is impossible for the application to work around the failed parsing, because a decoded path element can contain the characters %2F if an encoded percent character is followed by 2F.

      Setting the ALLOW_ENCODED_SLASH option to true makes Undertow decode the encoded slash character before splitting the path into elements (incorrect behaviour), and results in Undertow splitting the path into too many elements.

      It's hard to write ones own routing, because HttpServerExchange::getRequestPath method decodes escapes but returns a string, not a list of path elements, meaning that the path cannot be parsed correctly. Adding a method that returns the un-decoded path would help applications implement their own routing.

            sdouglas1@redhat.com Stuart Douglas
            npryce Nat Pryce (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: