Richard Zowalla created TOMEE-2656:
--------------------------------------
Summary: HTTP(s) basic auth failed if password contained ampersand
passed via basic.password URL parameter
Key: TOMEE-2656
URL: https://issues.apache.org/jira/browse/TOMEE-2656
Project: TomEE
Issue Type: Bug
Components: TomEE Core Server
Affects Versions: 8.0.0-M3, 7.1.1, 7.0.6
Reporter: Richard Zowalla
Adding this issue to add an issue number to the PR proposed on Github:
[https://github.com/apache/tomee/pull/104]
{quote}A double-decode bug caused URLDecode to be applied twice to parameters
passed in
via URL including basic.username and basic.password. The parameters were
automatically
decoded by the call to URI.getQuery() then again as each parameter was parsed
and added
to the returned Map in MulticastConnectionFactory.URIs.parseQuery().
parseQuery() splits the
query string on the ampersand character then explictly URLDecode's each value.
Since
URI.getQuery() had already decoded the basic.password parameter, the splitting
process
in parseQuery truncated the password at the first ampersand character.
Instead, URI.getRawQuery() should be called to get the still URLEncoded query
string. The
splitting and subsequent decoding in parseQuery() then correctly extracts the
full password
from the query string.
PR contains failing unit test & fix.
{quote}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
