[jboss-jira] [JBoss JIRA] (WFLY-9135) Undertow is doubly URLDecoder.decode(ing) auth-method query parameters
Scott Stark (JIRA)
issues at jboss.org
Tue Jul 25 22:21:00 EDT 2017
Scott Stark created WFLY-9135:
---------------------------------
Summary: Undertow is doubly URLDecoder.decode(ing) auth-method query parameters
Key: WFLY-9135
URL: https://issues.jboss.org/browse/WFLY-9135
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 10.1.0.Final
Reporter: Scott Stark
Assignee: Stuart Douglas
Attachments: AuthMethodParserTest.java, web.xml
I'm testing a custom authentication mechanism that is passing in a PEM encoded public key that has been URL.encoded. I have attached the web.xml I'm using, but I have also created a simple standalone unit test that illustrates the issue.
The org.wildfly.extension.undertow.deployment.AuthMethodParser.parse method calls io.undertow.util.QueryParameterUtils.parseQueryString to handle the parsing of the query string passed in with the auth-method name. This detects if there is a need to decode a parameter and does so.
The resulting map of query properties is then again unconditionally decodes the values again by this loop in AuthMethodParser:
{code:java}
for (Map.Entry<String, Deque<String>> entry : props.entrySet()) {
Deque<String> val = entry.getValue();
if (val.isEmpty()) {
authMethodConfig.getProperties().put(URLDecoder.decode(entry.getKey(), UTF_8), "");
} else {
authMethodConfig.getProperties().put(URLDecoder.decode(entry.getKey(), UTF_8), URLDecoder.decode(val.getFirst(), UTF_8));
}
}
{code}
since the original value is a PEM encoded public key, it may contains '+' characters, and these then are incorrectly transformed into space characters. I would suggest that this second decoding step simply be dropped.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list