[jira] [Commented] (OFBIZ-10275) UtilCodec URL decoding breaks values with german umlauts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-10275) UtilCodec URL decoding breaks values with german umlauts

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-10275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195327#comment-17195327 ]

ASF subversion and git services commented on OFBIZ-10275:
---------------------------------------------------------

Commit 748e6c3452bdd840f563b66268ca3b513b536267 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=748e6c3 ]

Fixed: Error while decoding url parameters with percent character (OFBIZ-12014)

This has been already fixed (an clearly explained) in OFBIZ-10275 and broken
again in OFBIZ-11822

Thanks: Pradeep Choudhary


> UtilCodec URL decoding breaks values with german umlauts
> --------------------------------------------------------
>
>                 Key: OFBIZ-10275
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10275
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Martin Becker
>            Assignee: Michael Brohl
>            Priority: Major
>             Fix For: 16.11.05, 18.12.01, 17.12.01
>
>         Attachments: OFBIZ-10275_UrlCodec_decode_via_URLDecoder.patch
>
>
> ...and other UTF-8 characters encoded in two hex. values like in this example:
> {code:java}
> String example = "/webcontent/example_öl.jpg";
> String encoded = UtilCodec.getEncoder("url").encode(example);
> System.out.println(encoded);
> => "%2Fwebcontent%2Fexample_%C3%B6l.jpg"
> String decoded = UtilCodec.getDecoder("url").decode(encoded); System.out.println(decoded);
> => "/webcontent/example_öl.jpg"{code}
>  
> The reason for this is the OWASP ESAPI PercentCodec implementation used within the method UtilCodec.canonicalize, called before the proper decoding via java.net.URLDecoder here:
> {code:java}
> public String decode(String original) {
>     try {
>         String canonical = canonicalize(original);
>         return URLDecoder.decode(canonical, "UTF-8");
>     } catch (UnsupportedEncodingException ee) {
>         Debug.logError(ee, module);
>         return null;
>     }
> }{code}
>  
> The fix could be to only use the canonicalize logic to check the original value for double/mixed encoding and to encode the original value afterwards via URLDecoder instead of using the canonicalize output for this.
>  This way the UrlCodec decode method matches the encode method by only using URLDecoder / URLEncoder for doing the main job.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)