[jira] [Commented] (ARTEMIS-3388) URI query values decoded twice

Thu, 15 Jul 2021 13:19:07 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381572#comment-17381572
 ] 

Aaron Steigerwald commented on ARTEMIS-3388:
--------------------------------------------

Yes, I see your point. For whatever reason Artemis doesn't currently have a 
problem with any other character in that string, only the + sign. I'll encode 
the other characters in the future if I must. Thanks!

> URI query values decoded twice
> ------------------------------
>
>                 Key: ARTEMIS-3388
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.17.0
>            Reporter: Aaron Steigerwald
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> An encoded acceptor password like 
> keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ 
> YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode 
> method. This causes exceptions like "java.lang.IllegalArgumentException: 
> Illegal base64 character 20" if the SensitiveDataCodec implementation is 
> expecting Base64 characters because a space is not a valid Base64 character .
> This appears to be happening because the string is URL decoded twice. The 
> first time is implicit in the 
> org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls 
> uri.getQuery(), which according to 
> [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The 
> getUserInfo, getPath, getQuery, getFragment, getAuthority, and 
> getSchemeSpecificPart methods +decode+ any escaped octets in their 
> corresponding components. The strings returned by these methods may contain 
> both other characters and illegal characters, and will not contain any 
> escaped octets." The second time is explicit in the 
> org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls 
> URLDecoder.decode(value, "UTF-8").
> The workaround is to replace all spaces with plus + characters in the custom 
> SensitiveDataCodec.decode method. This is safe because the method is 
> expecting only valid Base64 characters and the space character will only 
> exist if it's been converted from a plus + character.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to