[
https://issues.apache.org/jira/browse/HTTPCORE-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716929#comment-17716929
]
Mark Thomas commented on HTTPCORE-744:
--------------------------------------
TL;DR - There is a bug here. The redirect URI should not be being modified to
encode the ';' or the '='. Encoding those characters changes the meaning of the
URI.
The (slightly) longer version:
Nothing in RFC 3986 states that a reserved character can be replaced by the %nn
encoded value for that character. RFC 3986 (section 6.2.2.2) is explicit that
%nn encoded characters are only equivalent to their non-encoded forms for
unreserved characters. Both ';' and '=' are reserved (RFC 3986, section 2.2).
Therefore the the relative URIs "/a/b;c=d" and "/a/b%3bc%3dd" are NOT
equivalent.
RFC 3986 treats path segments as opaque. It does not define the meaning of
reserved characters such as ';'. It does, however, note that (section 3.3) that
'the semicolon (";") and equals ("=") reserved characters are often used to
delimit parameters and parameter values applicable to that segment'. Prior
versions of this RFC did specify how reserved characters were to be used for
parameters. RFC 3986 deliberately chose to take a more generic approach and
leave the exact definition to others. As long as the client and server a) agree
the format to be used and b) are consistent with the generic rules set out in
RFC 3986 they are free to use any reserved characters they wish in any way they
wish. RFC 3986 compliant tools MUST treat path segements as opaque in order not
to interfer with any such mechanisms.
> HttpCore 5.2.1 does not correctly handle semi-colon (;) and equal sign (=)
> characters in URI set as Location header.
> --------------------------------------------------------------------------------------------------------------------
>
> Key: HTTPCORE-744
> URL: https://issues.apache.org/jira/browse/HTTPCORE-744
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore
> Affects Versions: 5.2.1
> Environment: httpclient5, version 5.1.2
> httpcore5, version 5.1.2
> javax.servlet-api, version 3.1.0
> Reporter: Krasimir Malchev
> Priority: Major
> Attachments: Simulation.zip
>
>
> If an http response has an URI in the Location header, which contains special
> symbols - semi-colon ( ; ) and equal sign (=), the URI parser of the
> underlaying URI builder encodes these symbols to %3B and %3D. Then the
> redirect will be performed using the encoded URI.
> {+}Real Use Case where the issue is detected with httpcomonents updated from
> version 4 to 5{+}: SAML Artifact binding in an IDP initiated SSO
> communication.
> A simple simulation program is attached to demonstrate the problem.
> +Test Case:+ There is a servlet and a client application.
> 1. The client application sends an HTTP GET request to the servlet with URI
> "http://localhost:8080/test/welcome";
> 2. The servlet receives the request and sends a redirect response with a
> relative location - /test/httpclient4/welcomeHttpClient
> 2.1. Before sending the response the redirect URL is encoded (by calling the
> method HttpServletResponse.encodeRedirectURL(String location)).
> 2.2.The latter method adds jsessionid at the end of the new location in
> accordance to the [Java Servlet Specification, section 7.1.3 - URL
> Rewriting|https://javaee.github.io/servlet-spec/downloads/servlet-3.1/Final/servlet-3_1-final.pdf].
> As a result, the redirect location becomes similar to
> _/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F_
> 3. When the response is received the httpclient parses the new location and
> encodes it to:
> http://localhost:8080/test/httpclient/welcomeHttpClient%3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F
> This is an issue, because the latter URL is redirected at the end with
> {_}{*}%3B{*}jsessionid{*}%3D{*}FD86C2C971F595C8459028D585BCF26{_}F (i.e. no
> such endpoint exists). Also _jsessionid_ is not recognized as a path
> parameter.
> The expected redirect URL is without encoded semi-colon and equal sign :
> http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
> +Remarks:+
> * If the servlet redirects a full URI instead of a relative URI (for
> example,
> http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F,
> then the httpclient response is properly parsed and the redirect URL has no
> encoded semi-colon and equal sign characters.
> * If http client 4.5.5 and httpcore 4.4.9 are used, then the described issue
> is not present.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
