[MAGNOLIA-6849] Issue within CosMultipartRequestFilter regarding encoding of request parameters Created: 28/Oct/16  Updated: 31/May/21  Resolved: 31/May/21

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 5.4.9
Fix Version/s: 6.2

Type: Bug Priority: Neutral
Reporter: Mercedes Iruela Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Java Source File CosMultipartRequestFilterTest.java    
Issue Links:
causality
supersession
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

There is an issue within the CosMultipartRequestFilter regarding the encoding of request parameters. This issue happens
under the following circunstances:

  • The request comes with a query string AND form data.
  • The request uses an encoding other thant US-ASCII (in our case UTF-8)

The issue can be tested using the provided CosMultipartRequestFilterTest . The scenario is as followed:

  • The query string contains a parameter "query" with the value "Tür" (URI Encoding: T%C3%BCr).
  • Since the request encodes properly configured to UTF-8 the filters "on the top" can access the right value "Tür".
  • Due to the fact that there's form data the CosMultipartRequestFilter alters the request, so following filter will use
    the wrapper MultipartRequest.
  • The constructor of this MultipartRequest wrapper checks if there's a query string which is the case. However it
    doesn't respect the encoding so the the parsed parameters returned by HttpUtils.parseQueryString remain unencoded.
    This causes the previously properly encoded request parameter "query" to be replaced using the invalid encoded
    value "Tür"

*******************************************************************
Api documentation for javax.servlet.http.HttpServletRequest.getQueryString said:

a <code>String</code> containing the query string or <code>null</code> if the URL contains no query string. The value is not decoded by the container.

Since the value is NOT decoded by the container it's provided as it is.



 Comments   
Comment by Jan Haderka [ 31/May/21 ]

Fixed by MAGNOLIA-7566

Generated at Mon Feb 12 04:18:25 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.