[
https://issues.apache.org/jira/browse/TOMEE-2656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Louis MONTEIRO updated TOMEE-2656:
---------------------------------------
Fix Version/s: (was: 7.1.2)
(was: 7.0.7)
(was: 8.0.0-M4)
8.0.0-Final
> HTTP(s) basic auth failed if password contained ampersand passed via
> basic.password URL parameter
> -------------------------------------------------------------------------------------------------
>
> Key: TOMEE-2656
> URL: https://issues.apache.org/jira/browse/TOMEE-2656
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 7.0.6, 7.1.1, 8.0.0-M3
> Reporter: Richard Zowalla
> Priority: Major
> Fix For: 8.0.0-Final
>
>
> Adding this issue to add an issue number to the PR proposed on Github:
> [https://github.com/apache/tomee/pull/104]
> {quote}A double-decode bug caused URLDecode to be applied twice to parameters
> passed in
> via URL including basic.username and basic.password. The parameters were
> automatically
> decoded by the call to URI.getQuery() then again as each parameter was parsed
> and added
> to the returned Map in MulticastConnectionFactory.URIs.parseQuery().
> parseQuery() splits the
> query string on the ampersand character then explictly URLDecode's each
> value. Since
> URI.getQuery() had already decoded the basic.password parameter, the
> splitting process
> in parseQuery truncated the password at the first ampersand character.
> Instead, URI.getRawQuery() should be called to get the still URLEncoded query
> string. The
> splitting and subsequent decoding in parseQuery() then correctly extracts the
> full password
> from the query string.
> PR contains failing unit test & fix.
> {quote}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
