Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-9098

Decode URI variable values when UrlPathHelper.setUrlDecode() is set to false



    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.1 GA
    • Fix Version/s: 3.2 M1
    • Component/s: Web
    • Labels:
    • Last commented by a User:


      Say I have a Controller with the following request mapping:

      @RequestMapping(value = "/




      ", method = RequestMethod.GET)

      Current behavior:

      If one of the PathVariable components (e.g. "identifier" in the above example) contains a URL encoded slash (%2F), the handler is NOT invoked for that request, e.g.

      Expected behavior:

      If one of the PathVariable comonents (e.g. "identifier" in the above example) contains a URL encoded slash (%2F), the handler is invoked for that request and the URL decoded value is assigned to the path variable, e.g.

      calls the handler method above with group="group" and identifier="a/b"

      This is supported by the RFC which assigns special meaning to the slash character and states a slash and a URL encoded slash are NOT the same character:

      RFC 3986 says (section 2.2) :
      The purpose of reserved characters is to provide a set of delimiting
      characters that are distinguishable from other data within a URI.
      URIs that differ in the replacement of a reserved character with its
      corresponding percent-encoded octet are not equivalent. Percent-
      encoding a reserved character, or decoding a percent-encoded octet
      that corresponds to a reserved character, will change how the URI is
      interpreted by most applications. Thus, characters in the reserved
      set are protected from normalization and are therefore safe to be
      used by scheme-specific and producer-specific algorithms for
      delimiting data subcomponents within a URI.

      The actual URL decoding happens in UrlPathHelper.getLookupPathForRequest which eventually calls getRequestUri which calls decodeAndCleanUriString. This is basically too early. First the handler should be chosen and the PathVariables assigned. Then URL decoding should happen on each of the path variables' values.

      If desired I can write a unit test or include a sample Controller to reproduce the above.

      Note: Tomcat MUST be started with the -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true option or the request will never even land at the Spring DispatcherServlet.


          Issue Links



              rstoya05-aop Rossen Stoyanchev
              fransflippo Frans Flippo
              Last updater:
              Spring Issuemaster
              1 Vote for this issue
              3 Start watching this issue


                Days since last comment:
                1 year, 20 weeks, 3 days ago