[JerseyWebTarget] QueryParam not complete encoded

[CallMeFlanby]

Hello,

I have to report that I noticed that the WebTarget from Jersey Client (Version 2.37) is not encoding query parameters correctly.
We are using it to send a password and that is how we noticed, that something is happening. Currently, we encode the password before we set it as query parameters.

An exception is also thrown:
java.lang.IllegalArgumentException: Illegal character ";" at position 76 is not allowed as a part of a name in a path template "UserLogin=(MYLOGIN)&Password=%C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi{ùÁe;ª3jË6ð1nLB/X¢.
Please notice that (MYLOGIN) is not the correct UserLogin and the correct UserLogin was replaced in order to post this issue.

Example:

• Plain password:
  ØÒÌé¢â[i{ùÁe;ª3jË6ð1nLB/X¢
• From JettyWebTarget encoded:
  %C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi{ùÁe;ª3jË6ð1nLB/X¢
• From Java URLEncoder with StandardCharsets UTF8:
  %C3%98%C3%92%C3%8C%C3%A9%C2%A2%C3%A2%5Bi%7B%C3%B9%C3%81e%3B%C2%AA3j%C3%8B6%C3%B01nLB%2FX%C2%A2

As you see, JettyWebTarget is not encoding the query parameter to 100%.

Please check and let me know if this issue was not opened in the correct forum. I also searched, but could not find another issue related to this problem.

Best regards

[CallMeFlanby]

Do you have new info?

[jansupol]

Related #5289, #5269.
WIP

[CallMeFlanby]

Related #5289, #5269. WIP

Thanks for your reply. I do see my issue is older than those two but at least #5269 has more comments. Should I close this issue then? Or should it rather be left open?

[jansupol]

The actual problem is the { symbol. The symbols say the template parameter starts, and the next string ùÁe is an acceptable name, but the semicolon is not an acceptable part of the name in the template variable.

Now there are two options.

• One option is to continue parsing and check whether there is an end of the template '}` and if so, throw the exception, otherwise, think of it as not a template and properly percent encode.
• The second option, used by Jersey is to inform the user that there is an illegal name, or in the case the name was legal, to inform the } symbol is missing.

The first approach brings additional complexity and open questions.

• What if more { symbols occur? Are all of them non-template symbols, or is any of them a template symbol?

[jansupol]

What exactly is the Jersey code you use?

[CallMeFlanby]

What exactly is the Jersey code you use?

This was our code:

    private final WebTarget target = ClientBuilder.newBuilder()
            .withConfig(new ClientConfig().register(JacksonJaxbJsonProvider.class))
            .build()
            .target(URI.create(otrsPaths.mainPath()));
        var req = target
            .path(otrsPaths.sessionPath())
            .queryParam(OTRSUserLogin, username)
            .queryParam(OTRSPass, URLEncoder.encode(password, StandardCharsets.UTF_8));