fix: Sanitize percent characters in resource URLs#24031
Conversation
…ibility Jetty 12 rejects URLs containing %25 (percent-encoded percent) as ambiguous URI path encoding, causing downloads to fail with HTTP 400 when filenames contain "%" characters. Add UrlUtil.sanitizeForUrl() that replaces "%" with "_" in the URL path segment. The actual download filename from Content-Disposition is unaffected since each resource has a unique ID for lookup. Fixes #22677
| } | ||
|
|
||
| /** | ||
| * Sanitizes a resource name for safe use in URL path segments. |
There was a problem hiding this comment.
This javadoc does not really make sense as the only thing it does is replace % with _. It also talks about where the result is used and about Content-Disposition - completely unrelated to URLs. Maybe the correct place would be in StreamRequestHandler if that's the only place there is a problem
There was a problem hiding this comment.
Moved code to StreamRequestHandler.generateURI.
flow-server/src/test/java/com/vaadin/flow/internal/UrlUtilTest.java
Outdated
Show resolved
Hide resolved
| open(); | ||
|
|
||
| assertDownloadedContent("percent-link", "file%25.jpg"); | ||
| assertDownloadedContent("percent-link", "file_.jpg"); |
There was a problem hiding this comment.
Does this really test anything now?
There was a problem hiding this comment.
Seems to assert that file%.jpg filename in StreamResource given to the anchor has url with has file_.jpg properly. Looks correct to me.
|
|
❌ The last analysis has failed. |
2 participants
Jetty 12 rejects URLs containing %25 (percent-encoded percent) as ambiguous URI path encoding, causing downloads to fail with HTTP 400 when filenames contain "%" characters.
Add UrlUtil.sanitizeForUrl() that replaces "%" with "_" in the URL path segment. The actual download filename from Content-Disposition is unaffected since each resource has a unique ID for lookup.
Fixes #22677