felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin KM (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-5027) SSL Filter URL Decoding Issues
Date Thu, 17 Sep 2015 13:21:04 GMT

    [ https://issues.apache.org/jira/browse/FELIX-5027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14802897#comment-14802897

Robin KM commented on FELIX-5027:

Thank you [~cziegeler]. :)

> SSL Filter URL Decoding Issues
> ------------------------------
>                 Key: FELIX-5027
>                 URL: https://issues.apache.org/jira/browse/FELIX-5027
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http.sslfilter-1.0.2
>            Reporter: Robin KM
>            Assignee: Carsten Ziegeler
>             Fix For: http.sslfilter-1.0.4
> In SslFilterResponse, call to uri.getQuery() newly introduced with following FELIX-4920
commit is creating URL decoding issues:
> https://github.com/apache/felix/commit/57819578b1b26f40a1f1d3c9f07fa928a395d0a9#diff-00202663cae410b17b36aa25e60ba6cb
> #L188 
> {quote}return new URI(this.clientProto,null, this.serverName, this.clientPort, uri.getPath(),uri.getQuery(),uri.getFragment()).toURL();
> {quote}
> The uri.getQuery() will remove the decoding from the “resource” parameter  causing
a 302 with a location which is not decoded.
> So for example, it causes URLs to appear like 
> https://www.abc.com/?resource=https://mypage-1.abc.com:80/en.html?pbOpen=true&$$login$$=$$login$$&j_reason=errors.login.account.not.found
> When the expected URL for example is: 
> https://www.abc.com/en/login.html?resource=%2Fen.html%3FpbOpen%3Dtrue&$$login$$=%24%24login%24%24&j_reason=errors.login.account.not.found
> This creates problems when we have multiple domain URL mappings using sling resource
and apache mod_rewrite.
> Also, important to note that the problem especially persists when the “resource”
parameter contains a URL with URL parameters (and thus with “?” in it).
> It may be good to utilize StringBuilder in this method instead of using uri.getQuery()
in combination with the URI and URL classes. 

This message was sent by Atlassian JIRA

View raw message