Handle illegal hex characters in url

Splash Forums Rewrite Users Handle illegal hex characters in url

Tagged: , , ,

This topic contains 6 replies, has 2 voices, and was last updated by  susnet 5 months, 3 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #27321

    susnet
    Participant

    Hi!

    I have the following rule:

    .addRule(Join.path(“/search/{query}”).to(“/pages/search.xhtml?query={query}”))

    If someone enters a problematic URL like this one: /search/3%25%20fat then an exception is thrown and the http response is 500.

    Stack trace:
    ERROR [io.undertow.request] (default task-2) UT005023: Exception handling request to /search/3%25%20fat: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern – For input string: ” f”
    at java.net.URLDecoder.decode(URLDecoder.java:194)
    at io.undertow.util.QueryParameterUtils.decodeParam(QueryParameterUtils.java:134)
    at io.undertow.util.QueryParameterUtils.handleQueryParameter(QueryParameterUtils.java:118)
    at io.undertow.util.QueryParameterUtils.parseQueryString(QueryParameterUtils.java:106)
    at io.undertow.util.QueryParameterUtils.mergeQueryParametersWithNewQueryString(QueryParameterUtils.java:151)
    at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:172)
    at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:108)
    at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:41)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:268)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188)

    I would just like to handle this in a nicer way. It would be ok just to respond 404 not found. I tried adding a matches pattern to my rule but I can’t get it to work with “%” in the pattern.

    Any ideas on how to solve this?

    Thanks in advance!

    #27322

    Which version are you using? Does this also happen with 3.0.0.Alpha10?

    #27323

    susnet
    Participant

    I’m using 2.0.12.Final. I also tried 3.0.0.Alpha10 and it’s the same problem. Here is the log and stack trace for 3.0.0.Alpha10:

    10:33:05,308 SEVERE [org.ocpsoft.rewrite.AbstractRewrite] (default task-2) Rewrite rule evaluation for event [InboundRewrite [GET url=http://mydomain.com/search/3%25%20fat, flow=FORWARD, dispatchResource=/pages/search.xhtml?query=3% fat]]
    Rule 0: .addRule(Join.path(“/search/{query}”).to(“/pages/search.xhtml?query={query}”)) defined at mydomain.util.RewriteConfigurationProvider.getConfiguration(RewriteConfigurationProvider.java:200)

    10:33:05,309 ERROR [io.undertow.request] (default task-2) UT005023: Exception handling request to /search/3%25%20fat: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern – For input string: ” f”
    at java.net.URLDecoder.decode(URLDecoder.java:194)
    at io.undertow.util.QueryParameterUtils.decodeParam(QueryParameterUtils.java:134)
    at io.undertow.util.QueryParameterUtils.handleQueryParameter(QueryParameterUtils.java:118)
    at io.undertow.util.QueryParameterUtils.parseQueryString(QueryParameterUtils.java:106)
    at io.undertow.util.QueryParameterUtils.mergeQueryParametersWithNewQueryString(QueryParameterUtils.java:151)
    at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:172)
    at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:108)
    at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:42)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:297)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:198)

    #27324

    Hmmm. Looks like the exception is actually thrown from Undertow code…

    #27325

    susnet
    Participant

    Yes it is and the version of Wildfly is 9.0.2.Final (and also 8.1 was exactly the same problem). But it would be nice if there was a way to handle the exception. If you don’t have any rule that match this problematic url then there will be a 404 response. Now when a rule does match the exception is thrown, not handled and the response is 500.

    So the question is – is there some way to handle the exception in the Rewrite code, or in my code or is it possible to write a matching pattern that filters out the problematic urls?

    #27326

    I think you could do something like this:

    .addRule(Join.path(“/search/{query}”).to(“/pages/search.xhtml?query={query}”))
    .where("query").constrainedBy( (event, context, value) -> {
      // validate value here and return true if everything is fine
    })
    

    Now you just need some code that verifies that value doesn’t contain invalid escape sequences.

    #27345

    susnet
    Participant

    Thank you very much!! This is working just fine!

    This is how my rule now looks:

    .addRule(Join.path(“/search/{query}”).to(“/pages/search.xhtml?query={query}”)).where(“query”).constrainedBy( (event, context1, value) -> {
    // validate value here and return true if everything is fine
    try {
    URLDecoder.decode(value, “UTF-8”);
    return true;
    }
    catch(IllegalArgumentException e) {
    return false;
    }
    catch (UnsupportedEncodingException e) {
    return false;
    }
    })

    Thanks again!

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.