Bug 569406 - URL Decoder Exception for path parameter containing %2F
Summary: URL Decoder Exception for path parameter containing %2F
Status: RESOLVED FIXED
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: Compendium (show other bugs)
Version: 4.16   Edit
Hardware: All All
: P3 critical (vote)
Target Milestone: 4.19 M1   Edit
Assignee: Thomas Watson CLA
QA Contact:
URL:
Whiteboard:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2020-12-02 13:09 EST by Kshitiz Bhattarai CLA
Modified: 2021-03-22 13:45 EDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kshitiz Bhattarai CLA 2020-12-02 13:09:02 EST 
The original fix https://github.com/eclipse/rt.equinox.bundles/commit/9a0d95dd4a5d08977564f4ca5930b5570bccdc8d to this bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=562843 is not valid. 

It does invalid logic to decode path parameter and if the path parameter contains / as encoded %2F ex:

/view/%2FTABLES%2FTMP%2FZREST_SBOOK/data

Would result in,

Error 500 java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern.

This is essentially due to the fact that the logic to substring uses the decoded path parameter rather than original request URI.

ex: 
In the code:
```
			if (pos > -1) {
				String newServletPath = requestURI.substring(0, pos);
				pathInfo = decode(requestURI.substring(pos));
				servletPath = decode(newServletPath);
				pos = servletPath.lastIndexOf('/');

				continue;
			}
```

If first call say our requestURI is following,

/view/%2FTABLES%2FTMP%2FZREST_SBOOK/data

Then newServletPath uses requestURI which isn't decoded.

And now we get, 
servletPath = /view//TABLES/TMP/ZREST_SBOOK 
pathInfo = /data

However when we do servletPath.lastIndexOf it now uses decoded string and get / which results into position being wrong and we will now do for

newServletPath = /view/%2FTABLES%2

This will result on URLDecoder error.

One option to fix this issue could be:

```
         String newServletPath = requestURI.substring(0, pos);
         pathInfo = decode(requestURI.substring(pos));
         requestURI = newServletPath; <- Use requestURI for processing and don't decode servlet path.
```
Comment 1 Andrey Loskutov CLA 2020-12-02 13:34:45 EST 
Please provide a Gerrit patch.
Comment 2 Kshitiz Bhattarai CLA 2020-12-02 13:42:19 EST 
I don't know how to do provide the gerrit patch?
Comment 3 Eclipse Genie CLA 2020-12-02 15:37:21 EST 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/173265
Comment 4 Kshitiz Bhattarai CLA 2020-12-02 15:39:48 EST 
Thanks i see the changes. That should work.
Comment 5 Thomas Watson CLA 2020-12-02 15:44:28 EST 
(In reply to Eclipse Genie from comment #3)
> New Gerrit change created:
> https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/173265

Turns out that any encoded character can cause this, not just slash (%2F). The key is that the path of the request URI has to have multiple parts (non-encoded / separated) along with one or more encoded characters in the parts.  This causes the position calculation of the request URI actual slashes '/' to be incorrect.  In the unlucky case this can cause the URLDecoder IllegalArgumentException to happen when the position is incorrectly calculated such that it splits the encoded character.

Kshitiz, please have a look at the testcases I added above to make sure they are in line with the usecase you have which is reproducing this.
Comment 6 Eclipse Genie CLA 2020-12-04 11:07:35 EST 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/173412
Comment 9 Thomas Watson CLA 2020-12-04 13:03:04 EST 
Will be included in the first integration build towards 4.19 release.
Comment 10 Eclipse Genie CLA 2021-03-22 13:05:14 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/178223