HTTP(s) basic auth failed if password contained ampersand passed via … #104
Conversation
…basic.password URL parameter A double-decode bug caused URLDecode to be applied twice to parameters passed in via URL including basic.username and basic.password. The parameters were automatically decoded by the call to URI.getQuery() then again as each parameter was parsed and added to the returned Map in MulticastConnectionFactory.URIs.parseQuery(). parseQuery() splits the query string on the ampersand character then explictly URLDecode's each value. Since URI.getQuery() had already decoded the basic.password parameter, the splitting process in parseQuery truncated the password at the first ampersand character. Instead, URI.getRawQuery() should be called to get the still URLEncoded query string. The splitting and subsequent decoding in parseQuery() then correctly extracts the full password from the query string.
|
I can follow your explanation. I took a quick look into I think, that we can enhance the test-case with WDYT @jeanouii ? |
|
Shall we create a JIRA-Ticket for this? @jeanouii |
|
I created https://issues.apache.org/jira/browse/TOMEE-2656 for this. Did not get an answer for the comment:
WDYT @cesarhernandezgt ? |
|
Can one of the admins verify this patch? |
2 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
I think this looks good to merge. I'll give it a quick test and get it merged. |
|
Merged and backported to 7.1.x and 7.0.x. Thanks for the PR! |
|
I closed the related JIRA and set the fix version(s) |
|
@rzo1 Many thanks for the review, the JIRA admin and for pushing this through, its really appreciated. |
Prepare for 7.1.2-TT.1 release
…basic.password URL parameter
A double-decode bug caused URLDecode to be applied twice to parameters passed in
via URL including basic.username and basic.password. The parameters were automatically
decoded by the call to URI.getQuery() then again as each parameter was parsed and added
to the returned Map in MulticastConnectionFactory.URIs.parseQuery(). parseQuery() splits the
query string on the ampersand character then explictly URLDecode's each value. Since
URI.getQuery() had already decoded the basic.password parameter, the splitting process
in parseQuery truncated the password at the first ampersand character.
Instead, URI.getRawQuery() should be called to get the still URLEncoded query string. The
splitting and subsequent decoding in parseQuery() then correctly extracts the full password
from the query string.
PR contains failing unit test & fix.