Robin KM created FELIX-5027:
-------------------------------
Summary: SSL Filter URL Decoding Issues
Key: FELIX-5027
URL: https://issues.apache.org/jira/browse/FELIX-5027
Project: Felix
Issue Type: Bug
Components: HTTP Service
Affects Versions: http.sslfilter-1.0.2
Reporter: Robin KM
In SslFilterResponse, call to uri.getQuery() newly introduced with following
FELIX-4920 commit is creating URL decoding issues:
https://github.com/apache/felix/commit/57819578b1b26f40a1f1d3c9f07fa928a395d0a9#diff-00202663cae410b17b36aa25e60ba6cb
#L188
{quote}return new URI(this.clientProto,null, this.serverName, this.clientPort,
uri.getPath(),uri.getQuery(),uri.getFragment()).toURL();
{quote}
The uri.getQuery() will remove the decoding from the “resource” parameter
causing a 302 with a location which is not decoded.
So for example, it causes URLs to appear like
https://www.abc.com/?resource=https://mypage-1.abc.com:80/en.html?pbOpen=true&$$login$$=$$login$$&j_reason=errors.login.account.not.found
When the expected URL for example is:
https://www.abc.com/en/login.html?resource=%2Fen.html%3FpbOpen%3Dtrue&$$login$$=%24%24login%24%24&j_reason=errors.login.account.not.found
This creates problems when we have multiple domain URL mappings using sling
resource and apache mod_rewrite.
Also, important to note that the problem especially persists when the
“resource” parameter contains a URL with URL parameters (and thus with “?” in
it).
It may be good to utilize StringBuilder in this method instead of using
uri.getQuery() in combination with the URI and URL classes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
