New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Property to control URL decoding in ServletCookieValueMethodArgumentResolver
#26989
Comments
SO: https://stackoverflow.com/q/67725851/1237617 How can I disable this? |
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use the issue tracker only for bugs and enhancements. |
This is a bug, Spring should not throw IllegalArgumentException on valid input |
That issue is about 11 years old and the behavior has been in place for as long. Trying to find an RFC to justify the behavior of decoding the value, I see this in https://datatracker.ietf.org/doc/html/rfc6265#section-5.4:
So the behavior is seems OK, and it's been in use for so long, but you can also bypass |
I fail to see the relevance of decoding octet sequences into UTF-8 character string for URL decoding the value later.
I'm sorry for taking the comment dates at face value :(
|
You're right. Not the same as percent-encoded octets. At the moment I'm not seeing justification for the current behavior but it has been in place for very long, we could only correct it in a major or minor version. Also, that long ago, it's possible that there were other factors, like cookie values actually being encoded, as in that report which requested it. In the mean time, if this causes an issue, the best I can think of is either access the cookie value directly from the request, or create your own annotation and register a resolver for it. |
I think one easy improvement would be updating the Javadoc for @cookie annotation, since now it makes no mention of the URL decoding. It might be documented somewhere in Spring Reference docs but obviously Javadoc is more visible
Wouldn't I be able to override the default handler for the @cookie annotation? I think this wold be the best for now. (I don't like using ServletRequest object, I might as well go back to using servlets then :)) I think a parameter to toggle the decoding would also be useful and you could set the default value to match the existing behaviour |
I've updated the Javadoc for For argument resolvers it's easy to add custom ones, but replacing the built-in ones is not straight forward. For the annotation attribute, if the behavior isn't backed by the spec and if there isn't a reason to URL decode the value, then it doesn't make sense to have it, only to then have it removed in 6.0. |
Given the long standing behavior, I would go with a plan to make this configurable, through a property on |
ServletCookieValueMethodArgumentResolver
Hi @rstoyanchev, good job and noticed the ServletCookieValueMethodArgumentResolver has been implemented. How can it be configured (so we can set the urlDecode property to false)? Thanks |
If I send a request with
Spring will fail with
Affects: 5.2.14
The text was updated successfully, but these errors were encountered: