-
Notifications
You must be signed in to change notification settings - Fork 37.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UriTemplate does not escape semicolons in path segments [SPR-11652] #16275
Comments
Rossen Stoyanchev commented We don't escape ";" since it is a legal character in a path segment. You may for example be appending one or more path variables through a URI variable placeholder. Also as a general delimiter ";" may be used for example to provide multiple ids (e.g. "/foo/id1;id2;id3") so if expanding this as a URI variable ("/foo/{ids}") you would not want to encode the semicolon. That said I realize this makes your case harder than it needs to be so I'm going to accept this as an issue. To resolve it we need to come up with a way to express your intent. |
Benjamin Gehrels commented I think i get your point, that it's important to be able to set Path params using the Templating mechanism. The problem i see is, that - by allowing the templating mechanism to be used like this - it is impossible to set well escaped Semicolons in Path components. If you write
you get http://www.example.com/user/john;doe/dashboard, so doe will be interpreted as a path variable. If your decide to pre-escape the semicolon to avoid this
you get http://www.example.com/user/john%253Ddoe/dashboard, because the given escape sequences do not stay untouched, but get double-escaped instead. This leads to a black hole in the templating system: There is no way to express "Take this arbitrary String and put it in the Path, so that it will be well escaped and treated as one entity". The best workaround i found so far is post-processing the generated URI, which is only possible if you make certain assumptions about it, namely that there are no intended semicolons in the rest of the URI (and it is pretty ugly):
|
Rossen Stoyanchev commented You get more control with UriComponentsBuilder (in particular notice the use of UriComponentsBuilder.fromUriString("http://www.example.com/user/{userId}/dashboard").build(true).expand("john%3Ddoe").toUri(); That said I do realize that means you have to encode all URI variables yourself so it's hardly ideal.
Agreed fully. We need to imagine ways to express this. Suggestions welcome! |
Rossen Stoyanchev commented
Delving more into what "well escaped and treated as one entity", if you look at |
Ben Kiefer commented We got bit by this today with something like the following request. "http://www.example.com/user/%3Bblah" GET The path variable gets decoded to ';blah' in our receiving controller (above) and then we turn around and pass it along to another endpoint with rest template. Ex: "http://www.other.com/user/;blah" GET This ends up generating a request where the ;blah is treated as a request param instead of a path variable. This results in a 405 from the lower level endpoint because it doesn't want request params. |
Ben Kiefer commented Ended up fixing the problem with a request interceptor that rewrites the path of the URI if there is a semicolon in it. Wrote a quick interceptor for the rest template, and then decorated/proxied the HttpRequest that came into the intereceptor and fed the decorated request along the chain. I'd prefer to have a "global" solution that was part of spring though. |
Rossen Stoyanchev commented Since 4.2 the DefaultUriTemplateHandler handler = new DefaultUriTemplateHandler();
handler.setStrictEncoding(true);
RestTemplate restTemplate = new RestTemplate();
restTemplate.setUriTemplateHandler(handler);
// ... Ben Kiefer and BGehrels it would be great if you could give 4.3.0.BUILD-SNAPSHOT a try and confirm how well this mode works for you. Thanks! |
Benjamin Gehrels opened SPR-11652 and commented
In URIs (and URLs), path components may have parameters delimited by a semicolon (called path parameters or matrix parameters). Therefore semicolons contained in the variable values should be escaped when expanding variables in path components of UriTemplates. Otherwise, parts of the variables value will be interpreted as a path parameter (matrix variables) when parsing the URL later on.
I attached a unit test showing this problem:
should return http://www.example.com/user/john%3Bdoe/dashboard but instead returns http://www.example.com/user/john;doe/dashboard. So, instead of john;doe's dashboard, john's dashboard is delivered with a parameter doe.
Affects: 4.0.2
Attachments:
Issue Links:
Referenced from: commits 6f2c968
1 votes, 3 watchers
The text was updated successfully, but these errors were encountered: