From users-return-26125-apmail-tomee-users-archive=tomee.apache.org@tomee.apache.org Wed Sep 20 16:28:00 2017 Return-Path: X-Original-To: apmail-tomee-users-archive@www.apache.org Delivered-To: apmail-tomee-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 30F6E10F95 for ; Wed, 20 Sep 2017 16:28:00 +0000 (UTC) Received: (qmail 4462 invoked by uid 500); 20 Sep 2017 16:28:00 -0000 Delivered-To: apmail-tomee-users-archive@tomee.apache.org Received: (qmail 4401 invoked by uid 500); 20 Sep 2017 16:27:59 -0000 Mailing-List: contact users-help@tomee.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@tomee.apache.org Delivered-To: mailing list users@tomee.apache.org Received: (qmail 4389 invoked by uid 99); 20 Sep 2017 16:27:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Sep 2017 16:27:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 020B5184E13 for ; Wed, 20 Sep 2017 16:27:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=nycourts.onmicrosoft.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id aqX6Zb6DXhwz for ; Wed, 20 Sep 2017 16:27:56 +0000 (UTC) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0130.outbound.protection.outlook.com [23.103.200.130]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9D91161127 for ; Wed, 20 Sep 2017 16:27:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nycourts.onmicrosoft.com; s=selector1-nycourts-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5F3hcpQ8A3BH5uv2EZTsaWcYTjQM3YMzQN7JRqHqiOY=; b=CkXQSN68ntR5sVykjFGNFHre//A2Tmhp3pa0cVsJaKRJWB1BmRiufepIaF4futBKwslGLE7bcwcF15jgbRZ+OpL3OvSW3c72g3cAMmfnSrOvLrSUTdoX9Hf9aORyKlbgP+FYw50JZU0jMlT7vN1onEkChbdwaOePGKelyYVfaGo= Received: from CY1PR09MB1018.namprd09.prod.outlook.com (10.166.195.146) by CY1PR09MB1017.namprd09.prod.outlook.com (10.166.195.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Wed, 20 Sep 2017 16:27:49 +0000 Received: from CY1PR09MB1018.namprd09.prod.outlook.com ([10.166.195.146]) by CY1PR09MB1018.namprd09.prod.outlook.com ([10.166.195.146]) with mapi id 15.20.0077.011; Wed, 20 Sep 2017 16:27:48 +0000 From: Zachary Bedell To: "users@tomee.apache.org" Subject: Incorrect URL decoding in MulticastConnectionFactory$URI::parseParameters Thread-Topic: Incorrect URL decoding in MulticastConnectionFactory$URI::parseParameters Thread-Index: AQHTMi1lOHqru+FjakKtKjqn9xZLtg== Date: Wed, 20 Sep 2017 16:27:48 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=zbedell@nycourts.gov; x-originating-ip: [207.29.1.29] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;CY1PR09MB1017;6:QMpkMNYSuJLAvvCjGCGlwmACPzNAidAPvEARcSPWhC8yX7Vl5zW5vzCE08Bjp+ZnUbuKfunXuYg+ws8cgjh/DtWuVFkcPaidnR0tXsOw244w7FBlUGFRsE6enMT6fFo1gCoaJhxm87cEmVXn8xYUW0WkFPCuUubS6/4dPdqWPXEuQn16VEw1pr8LR5E5zo5bWZRhLIlRqId7By9gYp67ZI2RB8IhapFMBCcK9cJSaUghdXUVcZH9JH7QldhJalQxFvwpid3riZbhAMBe+hEsPJdsazvc6oyhiESx2oCytMeOQIaNq5tmRfhpugo5ZVI7VElAgwMLgmS7U6EqIawQ4g==;5:VOZLFTzCsSHLlBKQNQL/GWhnmhgsw+/rPTkXS3Nc07XmicCiWY158zrgHb+R/DKkPKj57IB3Yp/PuRRcIxiR02a7te8MlN9sP8jdLQ+U+aTow83BUNELb8nIcp4ykZgLGbJ7JU01N/FfD4hurYExqQ==;24:qdxtMnwJlVlYBMMWMUdiWz77AFeH0oyV9LVl+iyPZhYmdYfp+pX5fxnm9wKHTRkMm2ejTs1333ykwcrs9ZsTQ7PrTrOA51RcVUZGJyDD09k=;7:Fg3mNVZMejUOZ/PdWci0akkqOEHUZyQeEvRow8lOtfoVLctG76uHOmS0umv4vIF/wDEk0fLJ1bq4K32WE16R5tGXhfpogps3tS3fnz+5XB9Q8rwLtxxYvuYzB+Xc4kvpE+VUWjNQbZrNXDzgHi6qKt0oou9qM//MJiN3djOPZeW0SPH/PVPjGpbWyc2CAzg5TVxwSkoV5aOtonnHhbgCKfS7qtWcn3GUYjfGRO/ti9o= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: c4b51823-48a3-4581-be27-08d500448866 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(49563074)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR09MB1017; x-ms-traffictypediagnostic: CY1PR09MB1017: x-exchange-antispam-report-test: UriScan:(158342451672863); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(102415395)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR09MB1017;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR09MB1017; x-forefront-prvs: 04362AC73B x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39860400002)(346002)(376002)(15594002)(199003)(189002)(551544002)(83716003)(2351001)(966005)(2906002)(77096006)(33656002)(6306002)(99286003)(3846002)(102836003)(6512007)(6116002)(53936002)(82746002)(2501003)(99936001)(54356999)(50986999)(305945005)(81166006)(81156014)(8936002)(2900100001)(7736002)(105586002)(106356001)(1730700003)(101416001)(86362001)(5640700003)(316002)(36756003)(6916009)(68736007)(189998001)(478600001)(25786009)(66066001)(14454004)(97736004)(3280700002)(6436002)(5660300001)(6486002)(6506006)(8676002)(3660700001);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR09MB1017;H:CY1PR09MB1018.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (protection.outlook.com: nycourts.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; boundary="Apple-Mail=_E570F4E5-B874-4C7C-81A4-CE7DF98532C1"; protocol="application/pgp-signature"; micalg=pgp-sha256 MIME-Version: 1.0 X-OriginatorOrg: nycourts.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Sep 2017 16:27:48.7129 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3456fe92-cbd1-406d-b5a3-5364bec0a833 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB1017 --Apple-Mail=_E570F4E5-B874-4C7C-81A4-CE7DF98532C1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Greetings all, Pretty sure I found a bug in the way = org.apache.openejb.client.MulticastConnectionFactory decodes URL = parameters. The final result of the issue is that if you use HTTP basic = authentication when calling ServerServlet and = openejb.ejbd.authenticate-with-request=3Dtrue, you can't login with a = password that contains an ampersand character. The flow looks something like: 1) Create a new IntitialContext with PROVIDER_URL set to = failover:sticky+random:https://myserver/ejb/invoke?basic.username=3Dxyz&ba= sic.password=3Dpass%26word a) /ejb/invoke is where I have = org.apache.openejb.server.httpd.ServerServlet mapped b) web.xml on that mapping requires BASIC auth. c) key part of URL is the literal password "pass&word" URL encoded = with ampersand -> %26 2) TomEE internals eventually end up at = HttpConnectionFactory$HttpConnection's constructor where line 76 calls: params =3D MulticastConnectionFactory.URIs.parseParamters(uri); By this time, various unwrapping has paired the URL down to: = https://myserver/ejb/invoke?basic.username=3Dxyz&basic.password=3Dpass%26w= ord 3) MulticastConnectionFactory...parseParameters, IE line 136: return uri.getQuery() =3D=3D null ? new HashMap(0) : parseQuery(stripPrefix(uri.getQuery(), "?")); That calls URI.getQuery() which decodes the URI's query string, then = passes that into parseQuery() which splits up the query parameters = delimited by ampersands. The call to URI.getQuery() is the problem. = For the above URI, the result is: basic.username=3Dxyz&basic.password=3Dpass&word The ampersand in the query parameter basic.password is decoded = and then indistinguishable from a query parameter separator. When = passed into parseQuery, the resulting value for basic.password is just = "pass". Since MulticastConnectionFactory$URIs::parseQuery already calls = URLDecoder.decode() on both name and value pairs, the call in = parseParameters should be to URI::getRawQuery() instead of getQuery(). = I think there's also a possible double decoding issue here which could = corrupt certain values by decoding the value a second time. For the time being, I think I can work around this by passing the = authorization query parameter with the user:pass already base64 encoded. = Pretty sure this should be a complete & safe fix: diff --git = a/server/openejb-client/src/main/java/org/apache/openejb/client/MulticastC= onnectionFactory.java = b/server/openejb-client/src/main/java/org/apache/openejb/client/MulticastC= onnectionFactory.java index 22f2f86a6a..eedb54840e 100644 --- = a/server/openejb-client/src/main/java/org/apache/openejb/client/MulticastC= onnectionFactory.java +++ = b/server/openejb-client/src/main/java/org/apache/openejb/client/MulticastC= onnectionFactory.java @@ -133,7 +133,7 @@ public class MulticastConnectionFactory implements = ConnectionFactory { } public static Map parseParamters(final URI uri) = throws URISyntaxException { - return uri.getQuery() =3D=3D null ? new HashMap(0) : parseQuery(stripPrefix(uri.getQuery(), "?")); + return uri.getQuery() =3D=3D null ? new HashMap(0) : parseQuery(stripPrefix(uri.getRawQuery(), "?")); } public static String stripPrefix(final String value, final = String prefix) { Best regards, Zac Bedell --Apple-Mail=_E570F4E5-B874-4C7C-81A4-CE7DF98532C1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="signature.asc" Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJZwpcEAAoJEJb9D3uTyGsL8DYP/j2u4vSVCrvRDLq17FDKczaK 5mkgU/V2SGKRHrhtcgtfyVvctRnsuwUr/sFlX2l0g+kuGJIdE0gS6NbXIaUhn6di ytEOebo3xS8skVKJnWRDwj0tFh0bf7TPgqeT3V3ZgHw6w0tg2CLPa5hQ7cac4lvg boMydBL3HxhV1PbDIqbkU4KQrxAsk9D0lBTfBVrvCZbwCfaJ2+hYl254Z4Wj94/U HvSnwJxfMEY6eQwOvYAg6Gy/+klI7zaoeierCxRXAFfR15WYdzLoLeiYWFoLeHYn uw0vaHuTgnPexao5wWT8ZOlet9NjcYaaw5lIdqoEV6qyUyXwgLmwlw4KklFdaQLK goWwpsNt0ElNKmZgzygitGCnA675PwGxW52nrYyzh3R1dmN0OFKbdhsvCc37tRn5 Tt6tOMeY9fN8khpzirLWzCarXOdr6YAhGey72asROKqTN8OrkwkHvDxwXOLulmOz n2tPXB1+aPx54GBp2+OsiNnddgjZ8BaYkL5S/EreVGZxopNHKA18V3n2gi/fe2d5 0//tH0e7OExlM+3RW/ws6f/ZkIQfXf1u6tnwJUtwmL1FaQjgakiKyMB8f0E82WA5 nBaAeS+/9Igv08LRKAcOjoVVtIJGc2LtvDxQaqE6SQZ7lRCbSylRi4P4624eVAIe /WVpZhMGXSiYhshI+4to =x+dQ -----END PGP SIGNATURE----- --Apple-Mail=_E570F4E5-B874-4C7C-81A4-CE7DF98532C1--