[
https://issues.apache.org/jira/browse/FELIX-5027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14802897#comment-14802897
]
Robin KM commented on FELIX-5027:
---------------------------------
Thank you [~cziegeler]. :)
> SSL Filter URL Decoding Issues
> ------------------------------
>
> Key: FELIX-5027
> URL: https://issues.apache.org/jira/browse/FELIX-5027
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http.sslfilter-1.0.2
> Reporter: Robin KM
> Assignee: Carsten Ziegeler
> Fix For: http.sslfilter-1.0.4
>
>
> In SslFilterResponse, call to uri.getQuery() newly introduced with following
> FELIX-4920 commit is creating URL decoding issues:
> https://github.com/apache/felix/commit/57819578b1b26f40a1f1d3c9f07fa928a395d0a9#diff-00202663cae410b17b36aa25e60ba6cb
> #L188
> {quote}return new URI(this.clientProto,null, this.serverName,
> this.clientPort, uri.getPath(),uri.getQuery(),uri.getFragment()).toURL();
> {quote}
> The uri.getQuery() will remove the decoding from the “resource” parameter
> causing a 302 with a location which is not decoded.
> So for example, it causes URLs to appear like
> https://www.abc.com/?resource=https://mypage-1.abc.com:80/en.html?pbOpen=true&$$login$$=$$login$$&j_reason=errors.login.account.not.found
> When the expected URL for example is:
> https://www.abc.com/en/login.html?resource=%2Fen.html%3FpbOpen%3Dtrue&$$login$$=%24%24login%24%24&j_reason=errors.login.account.not.found
> This creates problems when we have multiple domain URL mappings using sling
> resource and apache mod_rewrite.
> Also, important to note that the problem especially persists when the
> “resource” parameter contains a URL with URL parameters (and thus with “?” in
> it).
> It may be good to utilize StringBuilder in this method instead of using
> uri.getQuery() in combination with the URI and URL classes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
