ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brohl (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (OFBIZ-10275) UtilCodec URL decoding breaks values with german umlauts
Date Mon, 12 Mar 2018 21:39:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-10275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Brohl reassigned OFBIZ-10275:
-------------------------------------

    Assignee: Michael Brohl

> UtilCodec URL decoding breaks values with german umlauts
> --------------------------------------------------------
>
>                 Key: OFBIZ-10275
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10275
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Martin Becker
>            Assignee: Michael Brohl
>            Priority: Major
>         Attachments: OFBIZ-10275_UrlCodec_decode_via_URLDecoder.patch
>
>
> ...and other UTF-8 characters encoded in two hex. values like in this example:
> {code:java}
> String example = "/webcontent/example_öl.jpg";
> String encoded = UtilCodec.getEncoder("url").encode(example);
> System.out.println(encoded);
> => "%2Fwebcontent%2Fexample_%C3%B6l.jpg"
> String decoded = UtilCodec.getDecoder("url").decode(encoded); System.out.println(decoded);
> => "/webcontent/example_öl.jpg"{code}
>  
> The reason for this is the OWASP ESAPI PercentCodec implementation used within the method
UtilCodec.canonicalize, called before the proper decoding via java.net.URLDecoder here:
> {code:java}
> public String decode(String original) {
>     try {
>         String canonical = canonicalize(original);
>         return URLDecoder.decode(canonical, "UTF-8");
>     } catch (UnsupportedEncodingException ee) {
>         Debug.logError(ee, module);
>         return null;
>     }
> }{code}
>  
> The fix could be to only use the canonicalize logic to check the original value for double/mixed
encoding and to encode the original value afterwards via URLDecoder instead of using the canonicalize
output for this.
>  This way the UrlCodec decode method matches the encode method by only using URLDecoder
/ URLEncoder for doing the main job.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message