#663 ✓invalid

UrlDecoder for request path fails when parsing request

Reported by mateas | March 18th, 2011 @ 03:47 PM

When Play! decodes request path containing query string with encoded unicode characters such as %u00e4 play! fails with IllegalArgumentException:

java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "u0"

Framework version: 1.1.1

Reproduction steps: http://localhost:9000/anypath?myparam=someValue%u00e4includingUnico...

PlayHandlers.parseRequest(ChannelHandlerContext ctx, HttpRequest nettyRequest) decodes the full path including the query string which fails when query string contains "illigal" characters.

Only decode the path excluding the query string (which Play! already does if query string is present)

The bug causes problems for url backward compatibility from a previous system.

Comments and changes to this ticket

  • Morten Kjetland

    Morten Kjetland April 24th, 2011 @ 10:40 PM

    • State changed from “new” to “invalid”
    • Assigned user set to “Morten Kjetland”

    I think the cause of this problem is that your url should have been URLEncoded in the first place:

    The the url would have looked like this:


    And it would end up like the original url after it has been URLDecoded.

  • mateas

    mateas April 27th, 2011 @ 12:23 PM

    Yes, the values are not encoded using url encoding standards, I agree on that. Its encoded using some library with a non-standard implementation rejected by W3C described here http://en.wikipedia.org/wiki/Percent-encoding#Non-standard_implementations

    Although, as I wrote in the initial request this cases problems for backward compatibility with a previous system. It is not possible to change the original URLs as they are created in a legacy web app and are bookmarked by users and partners all over the web. The new web solution (our Play! app) require to be backward compatible with these URLs but Play makes this very hard since Play! crashes before our rewrite Play! plugin can handle the request.

    The submitted patch did not change the outcome of the request decoding. It simply made the query string parameters not to be included when decoding the request which was the original case.

  • Guillaume Bort

    Guillaume Bort April 27th, 2011 @ 03:59 PM

    It is better to keep your fix and apply it yourself on Play. Applying patch like this one make the overall framework more fragile, and anyway we can't guarantee that these kind patch will work as expected on future versions.

  • Morten Kjetland

    Morten Kjetland April 27th, 2011 @ 04:28 PM

    one possible solution would be to include a new param called rawQueryString, which contains the queryString as received without performing any decoding on it..

    and if the decoding fails, we only skip adding the decoded params.. I don't think I like this solution.

    What if:

    We include another method in PlayPlugin:

    public String preUrlDecoding(String url);

    I'm no sure about that one either...

    But on the other hand we should make it possible to re-implement legacy applications in Play.

    What do you think Guillaume?

  • Guillaume Bort

    Guillaume Bort April 28th, 2011 @ 03:12 PM

    The submitted patch did not change the outcome of the request decoding. It simply made the query string parameters not to be included > when decoding the request which was the original case.

    Is there a patch for this? I don't find it.

    One way would be to ignore errors and continue. Anyway the request.queryString value already contains the raw queryString, right?

  • mateas

    mateas April 29th, 2011 @ 07:42 AM

    Yes, I made a pull request with my patch.
    See https://github.com/playframework/play/pull/150

    This patch just ignores the query string when decoding, the same thing the original code does but with minor modifications.

  • Morten Kjetland

    Morten Kjetland June 5th, 2011 @ 07:10 AM

    • State changed from “invalid” to “new”

    I tried pull on master but it didn't work due to changes. I've updated pull with comment

  • Morten Kjetland

    Morten Kjetland June 16th, 2011 @ 08:35 PM

    • State changed from “new” to “invalid”

    Closing this due to missing response from mateas

  • MarcelLukas

    MarcelLukas January 16th, 2018 @ 01:59 PM

    Learning about UrlDecoder for request path fails when parsing request is just so amazing, I have been thinking about getting to a few essay writing service reviews as they have helped me a lot for learning something new, Keep sharing more information with us

  • seoexpert

    seoexpert July 14th, 2018 @ 07:47 AM

    I am glad you take pride in what you write. This makes you stand way out from many other writers that push poorly written content. Ashley Graham Weight Loss

  • dalla

    dalla August 7th, 2018 @ 12:11 AM

    One of the many blog sites using the net, I like perusing joining your the foremost; most people make available you and me such a lot of material within smallish section. I'm sure on the lookout for not to mention as there are a spirit for the purpose of helpful penning, I just determined you would purpose everybody in your best suited place. How can you guidance?
    erection pills

  • sassi

    sassi August 7th, 2018 @ 01:49 AM

    This is the best stuff admin keep posting


  • annashetty
  • sassi

    sassi August 13th, 2018 @ 08:50 AM

    Prepare even more article content on this subject niche you now have a truly great suggestion that will persuade writters.
    Commercial Real Estate Appraiser Los Angeles

  • godgiseo

    godgiseo August 23rd, 2018 @ 08:21 AM

    I am glad you take pride in what you write. เว็บพนันออนไลน์ 928bet ดูบอลสด i99bet ufabet isc888 This makes you stand way out from many other writers that push poorly written content.

  • topp11
  • skykicksoc
  • jira

    jira June 10th, 2019 @ 10:50 AM

    Thank you for a great article. สมัครสมาชิก เกมส์สล็อตออนไลน์

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2>Play framework</h2>

Play makes it easier to build Web applications with Java. It is a clean alternative to bloated Enterprise Java stacks. It focuses on developer productivity and targets RESTful architectures. Learn more on the <a href="http://www.playframework.org">http://www.playframework.org</a> website.<br><br>

<h2>Source code is hosted on github</h2>Check out our repository at <a href="http://github.com/playframework/play">http://github.com/playframework/play</a><br><br>

<h2>Contributing, creating a patch</h2> Please read the <a href="http://play.lighthouseapp.com/projects/57987/contributor-guide">contributor guide</a><br><br>

<h2>Reporting Security Vulnerabilities</h2> Since all bug reports are public, please report any security vulnerability directly to <em>guillaume dot bort at gmail dot com</em>.<br><br>

<h2>Creating a bug report</h2> Bug reports are incredibly helpful, so take time to report bugs and request features in our ticket tracker. We’re always grateful for patches to Play’s code. Indeed, bug reports with attached patches will get fixed far quickly than those without any.<br><br>

Please include as much relevant information as possible including the exact framework version you're using and a code snippet that reproduces the problem.<br><br>

Don't have too much expectations. Unless the bug is really a serious "everything is broken" thing, you're creating a ticket to start a discussion. Having a patch (or a branch on Github we can pull from) is better, but then again we'll only pull high quality branches that make sense to be in the core of Play.