1

We had an issue where clients were sending "+" as part of a parameter value without percent-encoding it. After digging in, it looks like converting "+" to " " is from HTML form encoding, but not part of the URL spec.

I found https://www.ibm.com/mysupport/s/question/0D50z00005phvXb/urls-with-or-2b-in-the-path-or-query-are-incorrectly-decoded-to-space?language=en_US which sounds exactly like what we're hitting, but with Liberty 19.0.0.8 (and probably for some time), even excpicitly setting decodeUrlPlusSign="false" doesn't seem to help.

That is, when we call req.getParameter(queryParameterName) it is returning the value with a " " instead of a "+".

I'm setting it in server.xml as follows:

<webContainer disableXPoweredBy="true" decodeUrlPlusSign="false" />

What exactly is decodeUrlPlusSign supposed to do? Is it working as expected?

lmsurprenant
  • 1,723
  • 2
  • 14
  • 28
  • 1
    One alternative we found was to capture the HttpServletRequest .getQueryString(); and use that queryString to rewrite the converted ' ' back to '+'. I remain very interested in decodeUrlPlusSign's intended setting. – Paul Bastide Sep 05 '19 at 20:42
  • 1
    APAR PK23481 implies even when you opt in, it only changes the behavior of decoding + outside of the query string (path and path_info components of the URL) – covener Sep 05 '19 at 20:50
  • @covener how did you find that? Mind sharing a link? – lmsurprenant Sep 06 '19 at 12:09
  • 1
    This information was public in the past but it has been dropped over the years from the web due to its age, so I reproduced it here: https://hastebin.com/alofuvuzif.coffeescript – covener Sep 06 '19 at 12:23

0 Answers0