Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reactive GET request query-params are not decoded correctly. + sign must be space. [SPR-15860] #20415

Closed
spring-issuemaster opened this issue Aug 11, 2017 · 6 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Aug 11, 2017

Jean opened SPR-15860 and commented

When decoding query parameters, plus sign '+' must be decoded as space.

StringUtils.uriDecode() does not handle '+' sign. It's problem for query params.

For reference:

String value = URLDecoder.decode(pair.substring(idx + 1), charset.name());

when POST, URLDecoder.decode() is used and fine.


Affects: 5.0 RC3

Referenced from: commits 645e349

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 14, 2017

Rossen Stoyanchev commented

StringUtils.uriDecode() works as expected as per RFC 3986. On the other hand URLDecoder.decode(), despite its name, is for HTML form decoding (as per its Javadoc) and the decoding of '+' to space is related to the treatment of form data.

What we could do is use URLDecoder.decode() when decoding query parameters on GET requests with Content-Type=application/x-www-form-urlencoded and keep the current behavior otherwise. Since I don't have more specific context, would that meet your case for you?

Arjen Poutsma what do you think?

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 16, 2017

Jean commented

When browser (Chrome, Safari tested) submit <form method="GET">, spaces are encoded as '+'. Since there's no request body, Content-Type header is not set.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 16, 2017

Jean commented

I guess this will help.

https://www.w3.org/TR/html5/forms.html#form-submission-algorithm

The query string is part of URL.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 16, 2017

Rossen Stoyanchev commented

I don't think RFC 1630 is relevant any more. It does not have have the usual "Updated by" forward links but RFC 3986 (the current spec) refers to it in its introduction.

So to summarize, based on the HTML spec, browsers submit <form method="GET"> with form data in the query string. Since there is no way for the server to differentiate between a form GET (with form-encoded parameters in the query) from any other GET, we have to always use URLDecoder to decode query params as form encoded data.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 16, 2017

Rossen Stoyanchev commented

I have switched AbstractServerHttpRequest#initQueryParams to use URLDecoder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.