[jira] [Updated] (ARTEMIS-3388) URI query values decoded twice

Thu, 15 Jul 2021 13:04:09 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram updated ARTEMIS-3388:
------------------------------------
    Summary: URI query values decoded twice  (was: Encoded acceptor passwords 
replace plus + sign with space)

> URI query values decoded twice
> ------------------------------
>
>                 Key: ARTEMIS-3388
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.17.0
>            Reporter: Aaron Steigerwald
>            Priority: Minor
>
> An encoded acceptor password like 
> keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ 
> YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode 
> method. This causes exceptions like "java.lang.IllegalArgumentException: 
> Illegal base64 character 20" if the SensitiveDataCodec implementation is 
> expecting Base64 characters because a space is not a valid Base64 character .
> This appears to be happening because the string is URL decoded twice. The 
> first time is implicit in the 
> org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls 
> uri.getQuery(), which according to 
> [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The 
> getUserInfo, getPath, getQuery, getFragment, getAuthority, and 
> getSchemeSpecificPart methods +decode+ any escaped octets in their 
> corresponding components. The strings returned by these methods may contain 
> both other characters and illegal characters, and will not contain any 
> escaped octets." The second time is explicit in the 
> org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls 
> URLDecoder.decode(value, "UTF-8").
> The workaround is to replace all spaces with plus + characters in the custom 
> SensitiveDataCodec.decode method. This is safe because the method is 
> expecting only valid Base64 characters and the space character will only 
> exist if it's been converted from a plus + character.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to