cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-6015) Path parameters containing semicolon are truncated due to missing encoding
Date Tue, 23 Sep 2014 09:15:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14144582#comment-14144582
] 

Daniel edited comment on CXF-6015 at 9/23/14 9:15 AM:
------------------------------------------------------

I tried to use a ParamConverter and it worked in the example project I provided above (I just
updated to attachment to contain the respective sources). However the ParamConverter is not
used when autowiring the services together in our production environment. Perhaps this is
related to CXF-5988??

Nevertheless I think, that a semicolon needs to be escaped when being passed as part of a
path parameter. I skimmed through the JAX-RS 2.0 spec and found nothing specific about URL
parameter conversion but only references to RFC3986. This RFC describes how valid URIs are
build. Especially sections 2.2 and 2.4 are of interest regarding this ticket.

In section 2.2 RFC3986 states:
{quote}
If data for a URI component would conflict with a reserved character’s purpose as a delimiter,
then the conflicting data must be percent-encoded before the URI is formed.
{noformat}
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "’" / "(" / ")" / "*" / "+" / "," / ";" / "="
{noformat}
{quote}

And section 2.4 (When to Encode or Decode) says:
{quote}
Under normal circumstances, the only time when octets within a URI are percent-encoded is
during the process of producing the URI from its component parts. This is when an implementation
determines which of the reserved characters are to be used as subcomponent delimiters and
which can be safely used as data. Once produced, a URI is always in its percent-encoded form.
{quote}

Given this specification I would think the CXF ClientProxy needs to percent escape all reserved
characters that are part of a path, matrix or query parameter value when building the request
URI as it is the part of the code that knows about the semantic of the different parts of
the composed URI.


was (Author: dpr):
I tried to use a ParamConverter and it worked in the example project I provided above (I just
updated to attachment to contain the respective sources). However the ParamConverter is not
used when autowiring the services together in our production environment. Perhaps this is
related to CXF-5988??

Nevertheless I think, that a semicolon needs to be escaped when being passed as part of a
path parameter. I skimmed through the JAX-RS 2.0 spec and found nothing specific about URL
parameter conversion but only references to RFC3986. This RFC describes how valid URIs are
build. Especially sections 2.2 and 2.4 are of interest regarding this ticket.

In section 2.2 RFC3986 states:
{quote}
If data for a URI component would conflict with a reserved character’s purpose as a delimiter,
then the conflicting data must be percent-encoded before the URI is formed.
{noformat}
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "’" / "(" / ")" / "*" / "+" / "," / ";" / "="
{noformat}
{quote}

And section 2.4 (When to Encode or Decode) says:
{quote}
Under normal circumstances, the only time when octets within a URI are percent-encoded is
during the process of producing the URI from its component parts. This is when an implementation
determines which of the reserved characters are to be used as subcomponent delimiters and
which can be safely used as data. Once produced, a URI is always in its percent-encoded form.
{quote}

Given this specification I would think the CXF ClientProxy needs to percent escape all escaped
characters that are part of a path, matrix or query parameter value when building the request
URI as it is the part of the code that knows about the semantic of the different parts of
the composed URI.

> Path parameters containing semicolon are truncated due to missing encoding
> --------------------------------------------------------------------------
>
>                 Key: CXF-6015
>                 URL: https://issues.apache.org/jira/browse/CXF-6015
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.7.12, 3.0.1
>         Environment: Apache Tomcat / 7.0.54
> Eclipse Jetty / 9.2.2
>            Reporter: Daniel
>         Attachments: cxf-test.zip
>
>
> If a REST service uses path parameters, these parameters must not contain any semicolon
as the parameter value gets truncated after the semicolon by many runtime environments. For
that reason especially the semicolon should be encoded while building the client proxy.
> I pinned this issue down to the usage of {{org.apache.cxf.jaxrs.utils.HttpUtils.pathEncode(String)}}
during the creation of the request URI. Path parameters are encoded using a fixed list of
characters ({{=@/:!$&\'(),;~}}) that are preserved in {{pathEncode(String)}}. While this
is fine/needed for encoding a complete path it leads to problems if used for encoding single
elements of a path like path parameters.
> Attached you'll find a minimal example project containing a simple REST service that
returns the provided path parameters. If deployed on localhost:8080, a call to {{http://localhost:8080/cxf-test-service-0.1/cxf-test/R&uuml;diger/R&uuml%3Bdiger}}
will result in {{anAttribute=R&uuml, anotherAttribute=R&amp;uuml;diger}} to be returned.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message