[Stripes-dev] [JIRA] Commented: (STS-899) Stripes decodes already-decoded URI

Wed, 13 Mar 2013 03:48:42 -0700 

    [ 
http://www.stripesframework.org/jira/browse/STS-899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12905#comment-12905
 ] 

Remi VANKEISBELCK commented on STS-899:
---------------------------------------

Ok thanks for the info !!! Was wondering why those "getAttribute" calls were 
made. 

Yep seems like yet another under-specified spec section. 

You've encountered the issue because you're using "%25" which decodes to "%", 
then Stripes tries to decode again... I think nobody found this issue before 
because nobody used "%" in URLs before, so running urlDecode "twice" produced 
the same result...

You are in a quite edgy use case with this % in URLs.

The best solution is probably to handle this yourself by preventing those chars 
to appear in your links.

 

> Stripes decodes already-decoded URI
> -----------------------------------
>
>                 Key: STS-899
>                 URL: http://www.stripesframework.org/jira/browse/STS-899
>             Project: Stripes
>          Issue Type: Bug
>          Components: ActionBean Dispatching
>    Affects Versions: Release 1.5.7
>         Environment: Tomcat 7.0.37 on Mac OS X
> Tomcat 7.0.27 on Linux
>            Reporter: Peter Štibraný
>            Assignee: Remi VANKEISBELCK
>         Attachments: STS-899.patch
>
>
> GET /zip/DownloadZip.action/Len%25ovo.zip HTTP/1.1
> Host: localhost:8080
> ...
> fails with following exception: 
> java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in 
> escape (%) pattern - For input string: "ov"
>       at java.net.URLDecoder.decode(URLDecoder.java:173)
>       at net.sourceforge.stripes.util.StringUtil.urlDecode(StringUtil.java:90)
>       at 
> net.sourceforge.stripes.util.HttpUtil.getRequestedPath(HttpUtil.java:59)
>       at 
> net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:220)
>       at 
> net.sourceforge.stripes.controller.DynamicMappingFilter.doFilter(DynamicMappingFilter.java:418)
>       at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>       at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> for action with @UrlBinding("/zip/DownloadZip.action/{archiveName}").
> Problem is that HttpUtil.getRequestedPath uses StringUtil.urlDecode to decode 
> servletPath + pathInfo, however both request.servletPath and request.pathInfo 
> are already decoded by Servlet Container, as mentioned in the documentation.
> In our case, servletPath returns "/zip/DownloadZip.action/Len%ovo.zip" while 
> pathInfo returns null. HttpUtil then tries to decode this string, which fails.
> However it should not even try to do the decoding on its own.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to