Bug 64470 - ALLOW_ENCODED_SLASH property doesn't work with 9.0.35 anymore
Summary: ALLOW_ENCODED_SLASH property doesn't work with 9.0.35 anymore
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: unspecified
Hardware: PC All
: P2 regression (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-25 12:50 UTC by morten.riedel
Modified: 2020-05-25 15:08 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description morten.riedel 2020-05-25 12:50:04 UTC
Hi,

I'm using spring with tomcat 9.0.34 and have enabled url encoded parameters using the property:

System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");

When updating to tomcat 9.0.35 I receive a 400 Bad Request when using url encoded parameters. If I create a new connector and set the solidusHandling to passthrough or decode it works again:

connector.setEncodedSolidusHandling(EncodedSolidusHandling.PASS_THROUGH.getValue());

This feels like a regression to me as it worked with tomcat 9.0.34 without setting setEncodedSolidusHandling to some value.

Regards
Morten
Comment 1 Remy Maucherat 2020-05-25 13:32:56 UTC
I thought 9 had kept the system property, but that doesn't seem to be the case in the code path that is actually used. You should plan to migrate to the new option though, DECODE corresponds to the old behavior when the system property was set to true.

Most likely this patch will restore support for the system property, will see if it's ok to add it back:
--- a/java/org/apache/tomcat/util/buf/UDecoder.java
+++ b/java/org/apache/tomcat/util/buf/UDecoder.java
@@ -140,7 +140,7 @@
 
                 j+=2;
                 int res=x2c( b1, b2 );
-                if (res == '/') {
+                if (res == '/' && !ALLOW_ENCODED_SLASH) {
                     switch (encodedSolidusHandling) {
                     case DECODE: {
                         buff[idx]=(byte)res;
Comment 2 Konstantin Kolinko 2020-05-25 14:29:56 UTC
(In reply to Remy Maucherat from comment #1)

> --- a/java/org/apache/tomcat/util/buf/UDecoder.java
> +++ b/java/org/apache/tomcat/util/buf/UDecoder.java
> @@ -140,7 +140,7 @@
>  
>                  j+=2;
>                  int res=x2c( b1, b2 );
> -                if (res == '/') {
> +                if (res == '/' && !ALLOW_ENCODED_SLASH) {
>                      switch (encodedSolidusHandling) {
>                      case DECODE: {
>                          buff[idx]=(byte)res;

The configuration reference says that the system property affects the default value of encodedSolidusHandling attribute of all connectors:
http://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html

Searching for "encodedSolidusHandling",
I think that the patch should be for org.apache.catalina.connector.Connector where the default value is set. (The bug is that it is сurrently done without any respect for the system property).

If we patch UDecoder it means that the changed value won't be seen as a connector property via JMX.
Comment 3 Remy Maucherat 2020-05-25 15:08:43 UTC
Good idea. This should now be fixed according to the docs in 9.0.36, 8.5.56 and 7.0.105.