[
https://issues.apache.org/jira/browse/HTTPCORE-744?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krasimir Malchev updated HTTPCORE-744:
--------------------------------------
Summary: HttpCore 5.2.1 does not correctly handle semi-column (;) and equal
sign (=) characters in URI set as Location header. (was: HttpCore 5.2.1 does
not correctly handle semicolumn and equal characters in URI set as Location
header.)
> HttpCore 5.2.1 does not correctly handle semi-column (;) and equal sign (=)
> characters in URI set as Location header.
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: HTTPCORE-744
> URL: https://issues.apache.org/jira/browse/HTTPCORE-744
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore
> Affects Versions: 5.2.1
> Environment: httpclient5, version 5.1.2
> httpcore5, version 5.1.2
> javax.servlet-api, version 3.1.0
> Reporter: Krasimir Malchev
> Priority: Major
> Attachments: Simulation.zip
>
>
> If an http response has an URI in the Location header, which contains special
> symbols - semi-column (;) and equal sign (=), the URI parser of the
> underlaying URI builder encodes these symbols to %3B and %3D. Then the
> redirect will be performed using the encoded URI.
> Real Use Case where the issue is detected with httpcomonents updated from
> version 4 to 5: SAML Artifact binding in an IDP initiated SSO communication.
> A simple simulation program is attached to demonstrate the problem.
> Test Case: There is a servlet and a client application.
> 1. The client application sends an HTTP GET request to the servlet with URI
> "http://localhost:8080/test/welcome";
> 2. The servlet receives the request and sends a redirect response with a
> relative location - /test/httpclient4/welcomeHttpClient
> 2.1. Before sending the response the redirect URL is encoded (by calling the
> method HttpServletResponse.encodeRedirectURL(String location)).
> 2.2.The latter method adds jsessionid at the end of the new location in
> accordance to the Java Servlet Specification, section 7.1.3 - URL Rewriting
> (https://javaee.github.io/servlet-spec/downloads/servlet-3.1/Final/servlet-3_1-final.pdf).
> Therefore the redirect location becomes similar to
> /test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
> 3. When the response is received the httpclient parses the new location and
> encodes it to:
> http://localhost:8080/test/httpclient/welcomeHttpClient%3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F
> This is an issue, because the latter URL is redirected at the end with
> %3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F (i.e. no such endpoint
> exists). Also jsessionid is not recognized as a path parameter.
> The expected redirect URL is without encoded semi-column and equal sign :
> http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
> Remarks:
> 1) Note that if the servlet redirects a full URI instead of a relative URI
> (for example,
> http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F),
> then
> the httpclient response is properly parsed and the redrect URL has no encoded
> semi-column and equal sign character.
> 2) If http client 4.5.5 and httpcore 4.4.9 are used, then the described issue
> is not present! (client application is also attached)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
