ServletServerHttpRequest.getURI() may throw a java.net.URISyntaxException [SPR-16414]

[spring-projects-issues]

Oliver Becker opened SPR-16414 and commented

We just encountered an error in our Spring Boot application that came from the innocent looking call

ServletUriComponentsBuilder.fromRequest(httpServletRequest)

which uses internally

ServletServerHttpRequest.getURI()

The URL of this request was indeed illegal since it had an illegal escape sequence in its query part, something like http://app.org/request?query=foo% or http://app.org/request?query=foo%xx. Typing this URL into a browser will cause normal request processing (the controller will handle the query parameter as not present, the corresponding @RequestParam is null), however using the ServletUriComponentsBuilder as mentioned above will cause a java.net.URISyntaxException. (In our case this exception occurred during the rendering of the view, which is even worse.)

I wonder if the framework (i.e. ServletUriComponentsBuilder or ServletUriComponentsBuilder) should handle this illegal URI. Or is it the job of the application using the framework? Either way, the user shouldn't see an error 500.

---

Affects: 4.3.13

Referenced from: commits 0e6f8df, 04f9549

Backported to: 4.3.15

[spring-projects-issues]

Juergen Hoeller commented

Good point. I've revised this to leniently fall back to the plain request URL in case of a malformed query string. HttpRequest.getURI() also covers this case in its javadoc now.

On a related note, we're also caching a successfully resolved URI instance in a field. This is generally useful but particularly here now where we potentially have expensive two-step resolution.

This will be part of the upcoming 5.0.4 in February. I'm afraid it'll take a bit longer to materialize in 4.3.15 which is currently only scheduled for April.

[spring-projects-issues]

gary fong commented

Until the fix makes its way down, is there a workaround either elegant or inelegant, enough so that at least the stack trace does not end up at the client?