Skip to content

Fix incorrect handling of url-encoded parameters in FormFilter #3930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 4.2.x
Choose a base branch
from
Open

Fix incorrect handling of url-encoded parameters in FormFilter #3930

wants to merge 2 commits into from

Conversation

Shawyeok
Copy link

Fix #3929

@Shawyeok
Fix incorrect handling of url-encoded parameters in FormFilter
cd4f6ce 
Signed-off-by: Yike Xiao <kmter@live.com>
@Shawyeok
Copy link
Author

Do you have a chance to take a look about this?
@spencergibb @raccoonback

raccoonback
raccoonback reviewed Oct 5, 2025
View reviewed changes
...server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/filter/FormFilter.java Outdated
}
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(requestURL.toString());
MultiValueMap<String, String> queryParams = uriComponentsBuilder.build().getQueryParams();
queryParams = MvcUtils.decodeQueryParams(queryParams);
Copy link
Contributor

@raccoonback raccoonback Oct 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Shawyeok
That’s a good point.
Basically, it seems that this issue occurs because the encoded query string returned by the HttpServletRequest implementation is used as-is.
Regardless of the specific HttpServletRequest implementation, I think defensively decoding it is a good idea.

However, instead of creating a new MvcUtils.decodeQueryParams() method, how about performing the decoding directly at line 117 with UriUtils.decode(request.getQueryString())?
It doesn’t seem necessary to introduce a separate MvcUtils.decodeQueryParams() method.

such as, ...

		Map<String, String[]> form = request.getParameterMap();
		String queryString = UriUtils.decode(request.getQueryString(), StandardCharsets.UTF_8); // try decoding
		StringBuffer requestURL = request.getRequestURL();
		if (StringUtils.hasText(queryString)) {
			requestURL.append('?').append(queryString);
		}
		UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(requestURL.toString());
		MultiValueMap<String, String> queryParams = uriComponentsBuilder.build().getQueryParams();
		for (Iterator<Map.Entry<String, String[]>> entryIterator = form.entrySet().iterator(); entryIterator
			.hasNext();) {
       // ...
        }

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for late reply. We should decode each query parameter independently. For example, in the code you provided above, a query string like q=k%26r would cause an issue.

Therefore, all we need is a utility function that can decode a query string into a multi-value map. I’ve refined the patch — please take a look when you have a moment.

@Shawyeok
Introduce MvcUtils#decodeQueryString method
ba640c8 
Signed-off-by: Yike Xiao <kmter@live.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@raccoonback raccoonback raccoonback left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

waiting-for-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Shawyeok @raccoonback @spring-cloud-issues