[
https://issues.apache.org/jira/browse/FELIX-5093?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xavier Fournet updated FELIX-5093:
----------------------------------
Description:
The HttpServletRequest.getRequestURI must return the URI without processing %
escaping. Since version 3.1.0 this processing is done, so the returned value is
incorrect. For exemple this can lead to error in Apache Shiro when it try to
unescape % of an URI.
See the attached jar for a bundle that can be used to reproduce the problem:
* load the bundle
* with a browser go on http://localhost:8080/requesturibug/test%2Ftest%25test
With HTTP Jetty < 3.1.0 it prints:
{noformat}
Request URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.handler.ServletHandlerRequest)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.dispatch.FilterPipeline$FilterRequestWrapper)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.DispatcherServlet$AttributeEventRequest)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.eclipse.jetty.server.Request)
{noformat}
=> request URI is ok
With HTTP Jetty 3.1.0 or 3.1.2 it prints:
{noformat}
Request URI: /requesturibug/test/test%test
(org.apache.felix.http.base.internal.dispatch.ServletRequestWrapper)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.eclipse.jetty.server.Request)
{noformat}
=> request URI is wrong while the underlying request URI returned by Jetty
itself is correct.
When this request come the Shiro filter it will issue an exception because it
will try to unescape "%te" which is not valid since "te" is not a number
was:
The HttpServletRequest.getRequestURI must return the URI without processing %
escaping. Since version 3.1.0 this processing is done, so the returned value is
incorrect. For exemple this can lead to error in Apache Shiro when it try to
unescape % of an URI.
See the attached jar for a bundle that can be used to reproduce the problem:
* load the bundle
* with a browser go on http://localhost:8080/requesturibug/test%2Ftest%25test
With HTTP Jetty < 3.1.0 it prints:
{noformat}
Request URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.handler.ServletHandlerRequest)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.dispatch.FilterPipeline$FilterRequestWrapper)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.apache.felix.http.base.internal.DispatcherServlet$AttributeEventRequest)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.eclipse.jetty.server.Request)
{noformat}
=> request URI is ok
With HTTP Jetty 3.1.0 or 3.1.2 it prints:
{noformat}
Request URI: /requesturibug/test/test%test
(org.apache.felix.http.base.internal.dispatch.ServletRequestWrapper)
Wrapped URI: /requesturibug/test%2Ftest%25test
(org.eclipse.jetty.server.Request)
{noformat}
=> request URI is wrong while the underlying request URI returned by Jetty
itself is correct
> HttpServletRequest.getRequestURI is broken for escaped char in URL since 3.1.0
> ------------------------------------------------------------------------------
>
> Key: FELIX-5093
> URL: https://issues.apache.org/jira/browse/FELIX-5093
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http.jetty-3.1.0, http.jetty-3.1.2
> Reporter: Xavier Fournet
> Priority: Blocker
> Attachments: requesturibug-1.0.0-SNAPSHOT.jar,
> requesturibug-sources.zip
>
>
> The HttpServletRequest.getRequestURI must return the URI without processing %
> escaping. Since version 3.1.0 this processing is done, so the returned value
> is incorrect. For exemple this can lead to error in Apache Shiro when it try
> to unescape % of an URI.
> See the attached jar for a bundle that can be used to reproduce the problem:
> * load the bundle
> * with a browser go on http://localhost:8080/requesturibug/test%2Ftest%25test
> With HTTP Jetty < 3.1.0 it prints:
> {noformat}
> Request URI: /requesturibug/test%2Ftest%25test
> (org.apache.felix.http.base.internal.handler.ServletHandlerRequest)
> Wrapped URI: /requesturibug/test%2Ftest%25test
> (org.apache.felix.http.base.internal.dispatch.FilterPipeline$FilterRequestWrapper)
> Wrapped URI: /requesturibug/test%2Ftest%25test
> (org.apache.felix.http.base.internal.DispatcherServlet$AttributeEventRequest)
> Wrapped URI: /requesturibug/test%2Ftest%25test
> (org.eclipse.jetty.server.Request)
> {noformat}
> => request URI is ok
> With HTTP Jetty 3.1.0 or 3.1.2 it prints:
> {noformat}
> Request URI: /requesturibug/test/test%test
> (org.apache.felix.http.base.internal.dispatch.ServletRequestWrapper)
> Wrapped URI: /requesturibug/test%2Ftest%25test
> (org.eclipse.jetty.server.Request)
> {noformat}
> => request URI is wrong while the underlying request URI returned by Jetty
> itself is correct.
> When this request come the Shiro filter it will issue an exception because it
> will try to unescape "%te" which is not valid since "te" is not a number
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
