[jira] [Commented] (OFBIZ-10275) UtilCodec URL decoding breaks values with german umlauts

Mon, 14 Sep 2020 02:23:19 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-10275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195321#comment-17195321
 ] 

ASF subversion and git services commented on OFBIZ-10275:
---------------------------------------------------------

Commit a353cda8b6f5ae4fa5dd0706b7885b6402488f76 in ofbiz-framework's branch 
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a353cda ]

Fixed: Error while decoding url parameters with percent character (OFBIZ-12014)

This has been already fixed (an clearly explained) in OFBIZ-10275 and broken
again in OFBIZ-11822

Thanks: Pradeep Choudhary


> UtilCodec URL decoding breaks values with german umlauts
> --------------------------------------------------------
>
>                 Key: OFBIZ-10275
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10275
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Martin Becker
>            Assignee: Michael Brohl
>            Priority: Major
>             Fix For: 16.11.05, 18.12.01, 17.12.01
>
>         Attachments: OFBIZ-10275_UrlCodec_decode_via_URLDecoder.patch
>
>
> ...and other UTF-8 characters encoded in two hex. values like in this example:
> {code:java}
> String example = "/webcontent/example_öl.jpg";
> String encoded = UtilCodec.getEncoder("url").encode(example);
> System.out.println(encoded);
> => "%2Fwebcontent%2Fexample_%C3%B6l.jpg"
> String decoded = UtilCodec.getDecoder("url").decode(encoded); 
> System.out.println(decoded);
> => "/webcontent/example_öl.jpg"{code}
>  
> The reason for this is the OWASP ESAPI PercentCodec implementation used 
> within the method UtilCodec.canonicalize, called before the proper decoding 
> via java.net.URLDecoder here:
> {code:java}
> public String decode(String original) {
>     try {
>         String canonical = canonicalize(original);
>         return URLDecoder.decode(canonical, "UTF-8");
>     } catch (UnsupportedEncodingException ee) {
>         Debug.logError(ee, module);
>         return null;
>     }
> }{code}
>  
> The fix could be to only use the canonicalize logic to check the original 
> value for double/mixed encoding and to encode the original value afterwards 
> via URLDecoder instead of using the canonicalize output for this.
>  This way the UrlCodec decode method matches the encode method by only using 
> URLDecoder / URLEncoder for doing the main job.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to