-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid encoding of '?' in query parameter values by Encode.encodeQueryParam #41060
Comments
/cc @FroMage (resteasy-reactive), @geoand (resteasy-reactive), @stuartwdouglas (resteasy-reactive) |
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]>
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]>
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]>
…lid-query-param-encoding Fix encoding of '?' in query parameter values by Encode.encodeQueryParam(..)
I went and checked because I was sure I remembered that This is pretty evident in https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 although they have a note about compatibility with older software in some very specific cases. So, not sure about this fix, TBH. This feels wrong. |
What harm could it do? |
Good question. I'm not sure. But in any case, this is probably hiding a bug elsewhere:
I mean, probably there's one part in there that has a bug in query decoding, and probably Quarkus is not the only place that would generate such (valid) query parts, so it will keep failing for other valid URIs produced by non-Quarkus. |
That's interesting, I was under the impression that Browser APIs also encode the ? in the URL, see:
|
I don't think that's true. I think the only thing it has to encode, when placing a value in a query part value are the
Yeah, that's what I'm worried about. Incorrectly encoding things always ends up making decoding wrong somewhat, in ways that are hard to predict. But really, you should check what code actually has an issue with |
Thanks for the references! However, in the examples I was not using Unfortunately, since this Encode class is used interally all over the place in Quarkus applications, or more specifically in Keycloak it is very hard to securly ensure the proper encoding in all the places without raising duplicate encoding issues. |
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]> (cherry picked from commit f244de0)
Yeah, this encodes pretty much everything, even when not required. I think encoding extra chars is fine:
However, it is definitely a bug to reject or not properly decode |
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]>
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]> (cherry picked from commit f244de0)
…ram(..) Previously `?` in query parameter values where encoded as is which caused invalid URL values. We now replace `?` characters in query parameter values with `%3F`. Fixes quarkusio#41060 Signed-off-by: Thomas Darimont <[email protected]>
Describe the bug
org.jboss.resteasy.reactive.common.util.Encode.encodeQueryParam(..)
does not encode?
characters in query parameter values.Expected behavior
A query parameter value like
foo?a=b
should be encoded asfoo%3Fa%3Db
byEncode.encodeQueryParam(..)
.Actual behavior
A query parameter value like
foo?a=b
is encoded asfoo?a%3Db
byEncode.encodeQueryParam(..)
.Note the unencoded
?
which should be encoded as%3F
.How to Reproduce?
Output of
uname -a
orver
No response
Output of
java -version
No response
Quarkus version or git rev
3.11.1 but also 3.8.5
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
This affects all users of Encode, e.g.
org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl
.The following will produce the incorrectly (partially) encoded URL:
Yields:
Instead of:
Just stumbled upon this because a Keycloak user reported strange behaviour when a SAML client_id looked like this
https://somehost:1234/saml/consume?action=login
(thank you legacy software...) and caused issues when the client ID was used as is in URLs generated by Keycloak throughUriBuilderImpl
.Note: It would be great to have this backported to quarkus 3.8.x to be picked up by Keycloak.
The text was updated successfully, but these errors were encountered: