Aaron Steigerwald created ARTEMIS-3388:
------------------------------------------
Summary: Encoded acceptor passwords replace plus + sign with space
Key: ARTEMIS-3388
URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
Project: ActiveMQ Artemis
Issue Type: Bug
Components: ActiveMQ-Artemis-Native
Affects Versions: 2.17.0
Reporter: Aaron Steigerwald
Assignee: Clebert Suconic
An encoded acceptor password like
keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ
YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode
method. This causes exceptions like "java.lang.IllegalArgumentException:
Illegal base64 character 20" if the SensitiveDataCodec implementation is
expecting Base64 characters because a space is not a valid Base64 character .
This appears to be happening because the string is URL decoded twice. The first
time is implicit in the
org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls
uri.getQuery(), which according to
[https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The getUserInfo,
getPath, getQuery, getFragment, getAuthority, and getSchemeSpecificPart methods
+decode+ any escaped octets in their corresponding components. The strings
returned by these methods may contain both other characters and illegal
characters, and will not contain any escaped octets." The second time is
explicit in the org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI
method. It calls URLDecoder.decode(value, "UTF-8").
The workaround is to replace all spaces with plus + characters in the custom
SensitiveDataCodec.decode method. This is safe because the method is expecting
only valid Base64 characters and the space character will only exist if it's
been converted from a plus + character.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
