risdenk commented on a change in pull request #70: KNOX-1817 - Fix XSS issues
with Alias API
URL: https://github.com/apache/knox/pull/70#discussion_r264922320
##########
File path:
gateway-service-admin/src/main/java/org/apache/knox/gateway/service/admin/AliasResource.java
##########
@@ -100,15 +105,20 @@ public Response postAlias(@PathParam("topology") final
String topology,
final AliasService as = getAliasService();
try {
+ /* check if the string is properly encoded and expect encoded values */
+ topology = URLDecoder.decode(topology, StandardCharsets.UTF_8.name());
+ alias = URLDecoder.decode(alias, StandardCharsets.UTF_8.name());
+ value = URLDecoder.decode(value, StandardCharsets.UTF_8.name());
Review comment:
Yea sorry wasn't clear. I meant does the url decoding mess up what alias
values can be stored. ie: `kevin%20password` but guess it doesn't matter since
this gets removed anyway :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
