StrictHttpFirewall containsOnlyPrintableAsciiCharacters blocks safe characters

[jd3nn1s]

Summary

An encoded space in a URL is treated as a non-printable ASCII character and therefore is rejected by StrictHttpFirewall with no obvious way to allow without switching to HttpFirewall.

Actual Behavior

Request:
http://testhost.test/v1/config/IDE%20Settings/key/Color

Exception:
The requestURI was rejected because it can only contain printable ASCII characters

containsOnlyPrintableAsciiCharacters() rejects space even though it is a printable character. I do not know if space is an attack vector for bypassing security rules but it seems unlikely. Certainly space is considered a printable ASCII character.

Expected Behavior

Request is accepted.

Configuration

Version

4.2.4

[jd3nn1s]

Would a patch be accepted to add space to the list of accepted printable ASCII characters?

[rwinch]

@jd3nn1s Thanks for the report!

I'm curious how you are coming across the error. The javadoc on HttpServletRequest.getRequestURI() states:

Returns the part of this request's URL from the protocol name up to the query string in the first line of the HTTP request. The web container does not decode this String.

This means that the value should be /v1/config/IDE%20Settings/key/Color which does not contain a space.