Fix #6870 URIUtil.encodePath encodes control characters

Fix #6870 URIUtil.encodePath encodes control characters Signed-off-by: Greg Wilkins <gregw@webtide.com>
jetty · Sep 20, 2021 · 365bed1 · 365bed1
1 parent 1749a90
commit 365bed1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/URIUtil.java b/jetty-util/src/main/java/org/eclipse/jetty/util/URIUtil.java
@@ -120,7 +120,7 @@ private static StringBuilder encodePath(StringBuilder buf, String path, int offs
                         buf = new StringBuilder(path.length() * 2);
                         break loop;
                     default:
-                        if (c > 127)
+                        if (c < 20 || c > 127)
                         {
                             bytes = path.getBytes(URIUtil.__CHARSET);
                             buf = new StringBuilder(path.length() * 2);
@@ -193,7 +193,7 @@ private static StringBuilder encodePath(StringBuilder buf, String path, int offs
                     continue;
 
                 default:
-                    if (c > 127)
+                    if (c < 20 || c > 127)
                     {
                         bytes = path.getBytes(URIUtil.__CHARSET);
                         break loop;
@@ -261,7 +261,7 @@ private static StringBuilder encodePath(StringBuilder buf, String path, int offs
                         buf.append("%7D");
                         continue;
                     default:
-                        if (c < 0)
+                        if (c < 20)
                         {
                             buf.append('%');
                             TypeUtil.toHex(c, buf);

diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/URIUtilTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/URIUtilTest.java
@@ -69,6 +69,7 @@ public static Stream<Arguments> encodePathSource()
     {
         // @checkstyle-disable-check : AvoidEscapedUnicodeCharactersCheck
         return Stream.of(
+            Arguments.of("/foo/\n/bar", "/foo/%0A/bar"),
             Arguments.of("/foo%23+;,:=/b a r/?info ", "/foo%2523+%3B,:=/b%20a%20r/%3Finfo%20"),
             Arguments.of("/context/'list'/\"me\"/;<script>window.alert('xss');</script>",
                 "/context/%27list%27/%22me%22/%3B%3Cscript%3Ewindow.alert(%27xss%27)%3B%3C/script%3E"),