Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Reject "%2F" as an invalid sequence in simp messaging usernames #23836
Since messaging destinations are delimited by "/", the existing code performs a simple string replacement of "/" -> "%2F" in usernames. This allows usernames which contain "/" to be used and have messaging destinations parsed correctly. See SimpMessagingTemplate.java and DefaultUserDestinationResolver.java
Issue with Current State
Usernames that already contain "%2F" end up with that character sequence converted to a "/" by DefaultUserDestinationResolver. E.g.,
Here is an example test that fails, resulting in
A sample solution is included in this pull request using 2(b).
Should an explicit encoding be provided for String > byte and byte > String? If so, what? UTF-8? Or just let the behavior be undefined if running Java in an environment where the default encoding does not support a particular character?
Any feedback is appreciated!
As a note, I recreated this pull request since I didn't branch my fork of the code first or squash commits as recommended by the contribution guidelines.
I agree that rejecting
In our case it came up because the site we are developing is multi-tenanted and we want the username to represent a unique user-tenant combination, so the username in Spring is a combination of the tenant’s OAuth2 issuer and their subject. The issuer includes slashes and may contain our chosen delimiter, so we were URL encoding it before appending the delimiter and subject.
I’m not very familiar with the codebase here, but if you can point me in the right direction, I’m glad to add a rejection message or assertion for the character sequence
Okay thanks for elaborating.
This could probably be rejected at the point of trying to subscribe to a user destination. It could also be checked and rejected when trying to send a message in