[
https://issues.apache.org/jira/browse/TOMEE-2656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zowalla resolved TOMEE-2656.
------------------------------------
Fix Version/s: 7.1.2
7.0.7
8.0.0-M4
Resolution: Fixed
> HTTP(s) basic auth failed if password contained ampersand passed via
> basic.password URL parameter
> -------------------------------------------------------------------------------------------------
>
> Key: TOMEE-2656
> URL: https://issues.apache.org/jira/browse/TOMEE-2656
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 7.0.6, 7.1.1, 8.0.0-M3
> Reporter: Richard Zowalla
> Priority: Major
> Fix For: 8.0.0-M4, 7.0.7, 7.1.2
>
>
> Adding this issue to add an issue number to the PR proposed on Github:
> [https://github.com/apache/tomee/pull/104]
> {quote}A double-decode bug caused URLDecode to be applied twice to parameters
> passed in
> via URL including basic.username and basic.password. The parameters were
> automatically
> decoded by the call to URI.getQuery() then again as each parameter was parsed
> and added
> to the returned Map in MulticastConnectionFactory.URIs.parseQuery().
> parseQuery() splits the
> query string on the ampersand character then explictly URLDecode's each
> value. Since
> URI.getQuery() had already decoded the basic.password parameter, the
> splitting process
> in parseQuery truncated the password at the first ampersand character.
> Instead, URI.getRawQuery() should be called to get the still URLEncoded query
> string. The
> splitting and subsequent decoding in parseQuery() then correctly extracts the
> full password
> from the query string.
> PR contains failing unit test & fix.
> {quote}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
