JERSEY-2850 GrizzlyHttpContainer throws exception with certain chars in query

Adam Lindenthal · Adam Lindenthal · commit b39272600dd7 · 2015-05-19T16:13:29.000+02:00
Change-Id: Ic75721e07fff6b5528fecff4b94cb6e19a9b3675
diff --git a/core-server/src/main/java/org/glassfish/jersey/server/internal/ContainerUtils.java b/core-server/src/main/java/org/glassfish/jersey/server/internal/ContainerUtils.java
@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2010-2014 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010-2015 Oracle and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -39,36 +39,43 @@
  */
 package org.glassfish.jersey.server.internal;
 
-import javax.ws.rs.core.UriBuilder;
-import java.net.URI;
-
 /**
  * Utility methods used by container implementations.
  *
  * @author Adam Lindenthal (adam.lindenthal at oracle.com)
  */
 public class ContainerUtils {
+    private static final String[] TOKENS = {
+            "{", "}", "\\", "^", "|", "`"
+    };
+
+    private static final String[] REPLACEMENTS = {
+            "%7B", "%7D", "%5C", "%5E", "%7C", "%60"
+    };
 
     /**
      * Encodes (predefined subset of) unsafe/unwise URI characters with the percent-encoding.
-     * <p/>
-     * <p>Replaces the predefined set of unsafe URI characters in the query string with its percent-encoded counterparts. The
-     * reserved characters (as defined by the RFC) are automatically encoded by browsers, but some characters are in the "gray
-     * zone" - are not explicitly forbidden, but not recommended and known to cause issues.</p>
-     * <p/>
-     * <p>Currently, the method only encodes the curly brackets ({@code \{} and {@code \}}),
-     * if any, to allow URI request parameters to contain JSON.</p>
+     *
+     * <p>Replaces the predefined set of unsafe URI characters in the query string with its percent-encoded
+     * counterparts. The reserved characters (as defined by the RFC) are automatically encoded by browsers, but some
+     * characters are in the "gray zone" - are not explicitly forbidden, but not recommended and known to cause
+     * issues.</p>
      *
      * @param originalQueryString URI query string (the part behind the question mark character).
-     * @return the same string with unsafe characters (currently only curly brackets) eventually percent encoded.
+     * @return the same string with unsafe characters percent encoded.
      */
-    public static String encodeUnsafeCharacters(String originalQueryString) {
+    public static String encodeUnsafeCharacters(final String originalQueryString) {
         if (originalQueryString == null) {
             return null;
         }
-        if (originalQueryString.contains("{") || originalQueryString.contains("}")) {
-            return originalQueryString.replace("{", "%7B").replace("}", "%7D");
+
+        String result = originalQueryString;
+        for (int i = 0; i < TOKENS.length; i++) {
+            if (originalQueryString.contains(TOKENS[i])) {
+                result = result.replace(TOKENS[i], REPLACEMENTS[i]);
+            }
         }
-        return originalQueryString;
+
+        return result;
     }
 }
diff --git a/tests/e2e/src/test/java/org/glassfish/jersey/tests/api/UnsafeCharsInUriTest.java b/tests/e2e/src/test/java/org/glassfish/jersey/tests/api/UnsafeCharsInUriTest.java
@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014-2015 Oracle and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -39,39 +39,38 @@
  */
 package org.glassfish.jersey.tests.api;
 
-import org.glassfish.jersey.filter.LoggingFilter;
-import org.glassfish.jersey.server.ResourceConfig;
-import org.glassfish.jersey.test.JerseyTest;
-import org.glassfish.jersey.test.TestProperties;
-import org.junit.Test;
-
-import javax.ws.rs.DefaultValue;
-import javax.ws.rs.GET;
-import javax.ws.rs.Path;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Response;
 import java.io.BufferedReader;
 import java.io.BufferedWriter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
 import java.net.Socket;
-import java.util.logging.Logger;
+import java.net.URI;
+
+import javax.ws.rs.DefaultValue;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Response;
+
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.test.JerseyTest;
+
+import org.junit.Test;
+
 
 import static org.junit.Assert.assertEquals;
 
 /**
- * Test if URI can contain a JSON in the query parameter.
+ * Test if URI can contain unsafe characters in the query parameter, e.g. for sending JSON
  *
  * @author Adam Lindenthal (adam.lindenthal at oracle.com)
  */
-public class JsonInUriTest extends JerseyTest {
-    private static final Logger LOGGER = Logger.getLogger(JsonInUriTest.class.getName());
-
+public class UnsafeCharsInUriTest extends JerseyTest {
     @Override
     protected ResourceConfig configure() {
-        ResourceConfig rc = new ResourceConfig(JsonInUriTest.ResponseTest.class);
+        ResourceConfig rc = new ResourceConfig(UnsafeCharsInUriTest.ResponseTest.class);
         return rc;
     }
 
@@ -81,46 +80,58 @@ protected ResourceConfig configure() {
     @Path(value = "/app")
     public static class ResponseTest {
         /**
-         * Test resource method returning the content of the {@code json} query parameter.
+         * Test resource method returning the content of the {@code msg} query parameter.
          *
-         * @return the {@code json} query parameter (as received)
+         * @return the {@code msg} query parameter (as received)
          */
         @GET
         @Path("test")
-        public Response jsonQueryParamTest(@DefaultValue("") @QueryParam("json") String json) {
-            return Response.ok().entity(json).build();
+        public Response jsonQueryParamTest(@DefaultValue("") @QueryParam("msg") final String msg) {
+            return Response.ok().entity(msg).build();
         }
 
     }
 
     /**
-     * Test, that server can consume JSON sent in the query parameter
+     * Test, that server can consume JSON (curly brackets) and other unsafe characters sent in the query parameter
      *
      * @throws IOException
      */
     @Test
-    public void testJsonInUriWithSockets() throws IOException {
+    public void testSpecCharsInUriWithSockets() throws IOException {
+        // quotes are encoded by browsers, curly brackets are not, so the quotes will be sent pre-encoded
+        // HTTP 1.0 is used for simplicity
+        String response = sendGetRequestOverSocket(getBaseUri(), "GET /app/test?msg={%22foo%22:%22bar%22} HTTP/1.0");
+        assertEquals("{\"foo\":\"bar\"}", response);
+
+        response = sendGetRequestOverSocket(getBaseUri(),
+                "GET /app/test?msg=Hello\\World+With+SpecChars+§*)$!±@-_=;`:\\,~| HTTP/1.0");
+
+        assertEquals("Hello\\World With SpecChars §*)$!±@-_=;`:\\,~|", response);
+    }
+
+    private String sendGetRequestOverSocket(final URI baseUri, final String requestLine) throws IOException {
         // Low level approach with sockets is used, because common Java HTTP clients are using java.net.URI,
         // which fails when unencoded curly bracket is part of the URI
-        Socket socket = new Socket(getBaseUri().getHost(), getBaseUri().getPort());
-        PrintWriter pw = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream())));
+        final Socket socket = new Socket(baseUri.getHost(), baseUri.getPort());
+        final PrintWriter pw = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream())));
 
-        // quotes are encoded by browsers, curly brackets are not, so the quotes will be sent pre-encoded
-        // HTTP 1.0 is used for simplicity
-        pw.println("GET /app/test?json={%22foo%22:%22bar%22} HTTP/1.0");
-        pw.println();   // http request should end with a blank line
+        pw.println(requestLine);
+        pw.println(); // http request should end with a blank line
         pw.flush();
 
-        BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
+        final BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
 
         String lastLine = null;
         String line;
         while ((line = br.readLine()) != null) {
             // read the response and remember the last line
             lastLine = line;
         }
-        assertEquals("{\"foo\":\"bar\"}", lastLine);
+        pw.close();
         br.close();
+
+        return lastLine;
     }
 }
 
