jersey icon indicating copy to clipboard operation
jersey copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ee4j

[JerseyWebTarget] QueryParam not complete encoded

Open CallMeFlanby opened this issue 2 years ago • 6 comments

Hello,

I have to report that I noticed that the WebTarget from Jersey Client (Version 2.37) is not encoding query parameters correctly. We are using it to send a password and that is how we noticed, that something is happening. Currently, we encode the password before we set it as query parameters.

An exception is also thrown: java.lang.IllegalArgumentException: Illegal character ";" at position 76 is not allowed as a part of a name in a path template "UserLogin=(MYLOGIN)&Password=%C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi{ùÁe;ª3jË6ð1nLB/X¢. Please notice that (MYLOGIN) is not the correct UserLogin and the correct UserLogin was replaced in order to post this issue.

Example:

  • Plain password: ØÒÌé¢â[i{ùÁe;ª3jË6ð1nLB/X¢
  • From JettyWebTarget encoded: %C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi{ùÁe;ª3jË6ð1nLB/X¢
  • From Java URLEncoder with StandardCharsets UTF8: %C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi%7B%C3%B9%C3%81e%3B%C2%AA3j%C3%8B6%C3%B01nLB%2FX%C2%A2

As you see, JettyWebTarget is not encoding the query parameter to 100%.

Please check and let me know if this issue was not opened in the correct forum. I also searched, but could not find another issue related to this problem.

Best regards

CallMeFlanby avatar Feb 02 '23 10:02 CallMeFlanby

Do you have new info?

CallMeFlanby avatar Jul 04 '23 06:07 CallMeFlanby

Related #5289, #5269. WIP

jansupol avatar Jul 04 '23 08:07 jansupol

Related #5289, #5269. WIP

Thanks for your reply. I do see my issue is older than those two but at least #5269 has more comments. Should I close this issue then? Or should it rather be left open?

CallMeFlanby avatar Jul 05 '23 08:07 CallMeFlanby

The actual problem is the { symbol. The symbols say the template parameter starts, and the next string ùÁe is an acceptable name, but the semicolon is not an acceptable part of the name in the template variable.

Now there are two options.

  • One option is to continue parsing and check whether there is an end of the template '}` and if so, throw the exception, otherwise, think of it as not a template and properly percent encode.
  • The second option, used by Jersey is to inform the user that there is an illegal name, or in the case the name was legal, to inform the } symbol is missing.

The first approach brings additional complexity and open questions.

  • What if more { symbols occur? Are all of them non-template symbols, or is any of them a template symbol?

jansupol avatar Jul 25 '23 13:07 jansupol

What exactly is the Jersey code you use?

jansupol avatar Jul 25 '23 14:07 jansupol

What exactly is the Jersey code you use?

This was our code:

    private final WebTarget target = ClientBuilder.newBuilder()
            .withConfig(new ClientConfig().register(JacksonJaxbJsonProvider.class))
            .build()
            .target(URI.create(otrsPaths.mainPath()));
        var req = target
            .path(otrsPaths.sessionPath())
            .queryParam(OTRSUserLogin, username)
            .queryParam(OTRSPass, URLEncoder.encode(password, StandardCharsets.UTF_8));

CallMeFlanby avatar Sep 11 '23 16:09 CallMeFlanby