Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-11851

Using URLs with percent encoded spaces in them with SAML authentication enabled results into 400 error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Highest
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.5.0
    • Component/s: None
    • Labels:

      Description

      Issue Summary

      Environment

      • SAML enabled Bitbucket Server instance

      Steps to Reproduce

      1. Enable SAML
      2. Open URL like "/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%20test"

      Expected Results

      Redirected to SAML authentication provider, authenticated and redirected back to Bitbucket Server and to "Create Branch" page.

      Actual Results

      Present with Tomcat 400 (BAD_REQUEST) page.

      Notes

      This is a bug in Atlassian Authentication Plugin.

      What it does is that it reads next parameter from HttpServletRequest in BitbucketAuthenticationFilter. The problem here is that HttpServletRequest#getParameter returns decoded string. So all of the + and %-encoded values are turned into actual values at that moment.
      Then, the plugin proceeds to feed the value it received form HttpServletRequest to URI class which throws an exception because there are illegal characters - spaces.
      What the plugin is should be doing is to encode the string again, before feeding it to URI class.

      Workaround

      Workaround would be to use "/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%2520test" instead of "/bitbucket/login?next=/plugins/servlet/create-branch?issueSummary%3Dtest%20test".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              aermolenko aner
              Reporter:
              aermolenko aner
              Votes:
              13 Vote for this issue
              Watchers:
              14 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Backbone Issue Sync