Using URLs with percent encoded spaces in them with SAML authentication enabled results into 400 error

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Highest
    • 7.5.0
    • Affects Version/s: None
    • Component/s: None
    • 6
    • Severity 2 - Major
    • 68

      Issue Summary

      Environment

      • SAML enabled Bitbucket Server instance

      Steps to Reproduce

      1. Enable SAML
      2. Open URL like "/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%20test"

      Expected Results

      Redirected to SAML authentication provider, authenticated and redirected back to Bitbucket Server and to "Create Branch" page.

      Actual Results

      Present with Tomcat 400 (BAD_REQUEST) page.

      Notes

      This is a bug in Atlassian Authentication Plugin.

      What it does is that it reads next parameter from HttpServletRequest in BitbucketAuthenticationFilter. The problem here is that HttpServletRequest#getParameter returns decoded string. So all of the + and %-encoded values are turned into actual values at that moment.
      Then, the plugin proceeds to feed the value it received form HttpServletRequest to URI class which throws an exception because there are illegal characters - spaces.
      What the plugin is should be doing is to encode the string again, before feeding it to URI class.

      Workaround

      Workaround would be to use "/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%2520test" instead of "/bitbucket/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%20test".

            Assignee:
            Tony Miller (Inactive)
            Reporter:
            Tony Miller (Inactive)
            Votes:
            13 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: