Working

Author: robotdan

src/main/java/io/fusionauth/http/util/HTTPTools.java

@@ -158,7 +158,7 @@ public static void parseEncodedData(byte[] data, int start, int length, Charset
         inName = false;
 
         try {
-          name = URLDecoder.decode(new String(data, start, i - start), charset);
+          name = URLDecoder.decode(new String(data, start, i - start, charset), charset);
         } catch (Exception e) {
           name = null; // Malformed
         }
@@ -174,7 +174,7 @@ public static void parseEncodedData(byte[] data, int start, int length, Charset
         //noinspection DuplicatedCode
         try {
           if (start < i) {
-            value = URLDecoder.decode(new String(data, start, i - start), charset);
+            value = URLDecoder.decode(new String(data, start, i - start, charset), charset);
           } else {
             value = "";
           }
@@ -193,7 +193,7 @@ public static void parseEncodedData(byte[] data, int start, int length, Charset
       //noinspection DuplicatedCode
       try {
         if (start < length) {
-          value = URLDecoder.decode(new String(data, start, length - start), charset);
+          value = URLDecoder.decode(new String(data, start, length - start, charset), charset);
         } else {
           value = "";
         }
@@ -322,7 +322,7 @@ public static void parseRequestPreamble(PushbackInputStream inputStream, int max
 
       // bytesRead will include bytes that are read past the end of the preamble. This should be ok because we will only throw an exception
       // for readExceeded once we have reached this state AND we are not yet in a complete state.
-      // - So if we exceed the max header size from this read, as long as this buffer includes the entire preamble we will not throw
+      // - If we exceed the max header size from this read, as long as this buffer includes the entire preamble we will not throw
       //   an exception.
       bytesRead += read;
       readExceeded = maxRequestHeaderSize != -1 && bytesRead >= maxRequestHeaderSize;

src/test/java/io/fusionauth/http/util/HTTPToolsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, FusionAuth, All Rights Reserved
+ * Copyright (c) 2022-2025, FusionAuth, All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,9 @@
 
 import java.io.ByteArrayInputStream;
 import java.net.URLEncoder;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -42,41 +44,69 @@
 public class HTTPToolsTest {
   @Test
   public void parseEncodedData() {
-    // Test bad encoding
-
-    Map<String, List<String>> actual = new HashMap<>();
-
     // Happy path
-    byte[] body = "foo=bar".getBytes(StandardCharsets.UTF_8);
-    HTTPTools.parseEncodedData(body, 0, body.length, actual);
-    assertEquals(actual, Map.of("foo", List.of("bar")), "Actual:\n" + ToString.toString(actual));
+    assertEncoding("bar", "bar", StandardCharsets.UTF_8);
 
     // Note, there are 3 try/catches in the parseEncodedDate. This tests them in order, each hitting a specific try/catch.
 
     // Bad name encoding
-    actual.clear();
-    byte[] badName = "foo=bar&%%%=baz".getBytes(StandardCharsets.UTF_8);
-    HTTPTools.parseEncodedData(badName, 0, badName.length, actual);
-    assertEquals(actual, Map.of("foo", List.of("bar")), "Actual:\n" + ToString.toString(actual));
+    assertEncoding("bar&%%%=baz", "bar", StandardCharsets.UTF_8);
 
     // Bad value encoding
-    actual.clear();
-    byte[] badValue1 = "foo=bar&bar=ba%å&=boom".getBytes(StandardCharsets.UTF_8);
-    HTTPTools.parseEncodedData(badValue1, 0, badValue1.length, actual);
-    assertEquals(actual, Map.of("foo", List.of("bar")), "Actual:\n" + ToString.toString(actual));
+    assertEncoding("bar&bar=ba%å&=boom", "bar", StandardCharsets.UTF_8);
 
     // Bad value encoding
-    actual.clear();
-    byte[] badValue2 = "foo=bar&bar=% % %".getBytes(StandardCharsets.UTF_8);
-    HTTPTools.parseEncodedData(badValue2, 0, badValue2.length, actual);
-    assertEquals(actual, Map.of("foo", List.of("bar")), "Actual:\n" + ToString.toString(actual));
+    assertEncoding("bar&bar=% % %", "bar", StandardCharsets.UTF_8);
+
+    // UTF-8 encoding of characters not in the ISO-8859-1 character set
+    assertEncoding("😎", "😎", StandardCharsets.UTF_8);
+    assertEncoding("é", "é", StandardCharsets.UTF_8);
+    assertEncoding("€", "€", StandardCharsets.UTF_8);
+    assertEncoding("Héllö", "Héllö", StandardCharsets.UTF_8);
+
+    // Double byte values are outside ISO-88559-1, so we should expect them to not render correctly. See next test.
+    assertHexValue("😎", "D83D DE0E");
+    assertHexValue("€", "20AC");
+
+    // ISO-8559-1 encoding of characters outside the character set
+    assertEncoding("😎", "?", StandardCharsets.ISO_8859_1);
+    assertEncoding("€", "?", StandardCharsets.ISO_8859_1);
+
+    // These values are within the ISO-8559-1 charset, expect them to render correctly.
+    assertHexValue("é", "E9");
+    assertHexValue("Héllö", "48 E9 6C 6C F6");
+
+    // ISO-8559-1 encoding of non-ASCII characters inside the character set
+    assertEncoding("é", "é", StandardCharsets.ISO_8859_1);
+    assertEncoding("Héllö", "Héllö", StandardCharsets.ISO_8859_1);
+
+    // Mixing and matching. Expect some wonky behavior.
+    // - Encoded using ISO-8559-1 and decoded as UTF-8
+    assertEncoding("Héllö", "H�ll�", StandardCharsets.ISO_8859_1, StandardCharsets.UTF_8);
+    assertEncoding("Hello world", "Hello world", StandardCharsets.ISO_8859_1, StandardCharsets.UTF_8);
+    // - Reverse
+    // The é fails here because while it does exist in both UTF-8 and ISO-8859-1, it is not the same byte. So expect the rendering to be off.
+    assertHexValue("é", "C3 A9", StandardCharsets.UTF_8);
+    assertHexValue("é", "E9", StandardCharsets.ISO_8859_1);
+    assertHexValue("Ã", "C3", StandardCharsets.ISO_8859_1);
+    assertHexValue("©", "A9", StandardCharsets.ISO_8859_1);
+    assertEncoding("é", "é", StandardCharsets.UTF_8, StandardCharsets.ISO_8859_1);
+
+    // The ö fails here because while it does exist in both UTF-8 and ISO-8859-1, it is not the same byte. So expect the rendering to be off.
+    assertHexValue("ö", "C3 B6", StandardCharsets.UTF_8);
+    assertHexValue("ö", "F6", StandardCharsets.ISO_8859_1);
+    assertHexValue("¶", "B6", StandardCharsets.ISO_8859_1);
+    assertEncoding("Héllö", "Héllö", StandardCharsets.UTF_8, StandardCharsets.ISO_8859_1);
+    assertEncoding("Hello world", "Hello world", StandardCharsets.UTF_8, StandardCharsets.ISO_8859_1);
   }
 
   @Test
   public void parseHeaderValue() {
     String iso = "åpple";
     String utf = "😁";
+    assertEquals(HTTPTools.parseHeaderValue("text/plain; charset=iso8859-1"), new HeaderValue("text/plain", Map.of("charset", "iso8859-1")));
     assertEquals(HTTPTools.parseHeaderValue("text/plain; charset=iso-8859-1"), new HeaderValue("text/plain", Map.of("charset", "iso-8859-1")));
+    assertEquals(HTTPTools.parseHeaderValue("text/plain; charset=iso8859-1; boundary=FOOBAR"), new HeaderValue("text/plain", Map.of("boundary", "FOOBAR", "charset", "iso8859-1")));
     assertEquals(HTTPTools.parseHeaderValue("text/plain; charset=iso-8859-1; boundary=FOOBAR"), new HeaderValue("text/plain", Map.of("boundary", "FOOBAR", "charset", "iso-8859-1")));
     assertEquals(HTTPTools.parseHeaderValue("form-data; filename=foo.jpg"), new HeaderValue("form-data", Map.of("filename", "foo.jpg")));
     assertEquals(HTTPTools.parseHeaderValue("form-data; filename=\"foo.jpg\""), new HeaderValue("form-data", Map.of("filename", "foo.jpg")));
@@ -89,6 +119,7 @@ public void parseHeaderValue() {
     assertEquals(HTTPTools.parseHeaderValue("form-data; filename=ignore.jpg; filename*=ISO-8859-1'en'foo.jpg"), new HeaderValue("form-data", Map.of("filename", "foo.jpg")));
 
     // Encoded
+    assertEquals(HTTPTools.parseHeaderValue("form-data; filename*=ISO8859-1'en'" + URLEncoder.encode(iso, StandardCharsets.ISO_8859_1)), new HeaderValue("form-data", Map.of("filename", iso)));
     assertEquals(HTTPTools.parseHeaderValue("form-data; filename*=ISO-8859-1'en'" + URLEncoder.encode(iso, StandardCharsets.ISO_8859_1)), new HeaderValue("form-data", Map.of("filename", iso)));
     assertEquals(HTTPTools.parseHeaderValue("form-data; filename*=UTF-8'en'" + URLEncoder.encode(utf, StandardCharsets.UTF_8)), new HeaderValue("form-data", Map.of("filename", utf)));
 
@@ -182,4 +213,41 @@ public void parsePreamble() throws Exception {
     int nextRequestRead = pushbackInputStream.read(buffer);
     assertEquals(nextRequestRead, 16);
   }
+
+  private void assertEncoding(String actualValue, String expectedValue, Charset charset) {
+    assertEncoding(actualValue, expectedValue, charset, charset);
+
+  }
+
+  private void assertEncoding(String actualValue, String expectedValue, Charset encodingCharset, Charset decodingCharset) {
+    Map<String, List<String>> result = new HashMap<>(1);
+    byte[] encoded = ("foo=" + actualValue).getBytes(encodingCharset);
+    HTTPTools.parseEncodedData(encoded, 0, encoded.length, decodingCharset, result);
+    assertEquals(result, Map.of("foo", List.of(expectedValue)), "Actual:\n" + ToString.toString(result));
+  }
+
+  private void assertHexValue(String s, String expected) {
+    assertEquals(hex(s), expected);
+  }
+
+  private void assertHexValue(String s, String expected, Charset charset) {
+    assertEquals(hex(s.getBytes(charset)), expected);
+  }
+
+  private String hex(byte[] bytes) {
+    List<String> result = new ArrayList<>();
+    for (byte b : bytes) {
+
+      result.add(Integer.toHexString(0xFF & b).toUpperCase());
+    }
+    return String.join(" ", result);
+  }
+
+  private String hex(String s) {
+    List<String> result = new ArrayList<>();
+    for (char ch : s.toCharArray()) {
+      result.add(Integer.toHexString(ch).toUpperCase());
+    }
+    return String.join(" ", result);
+  }
 }