GUACAMOLE-839: Merge ensure plus signs in received encoded certificates are not decoded as spaces.

2025-09-05 20:57:40 +00:00 · 2025-04-23 14:20:24 -05:00
parent e09efe3e6e 29b56ff3cf
commit a4dafe961c
1 changed files with 13 additions and 0 deletions
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
@@ -142,6 +142,12 @@ public class SSLClientAuthenticationResource extends SSOResource {

    /**
     * Decodes the provided URL-encoded string as UTF-8, returning the result.
+     * <p>
+     * NOTE: The escape() function of the Apache HTTPD server is known to not
+     * encode plus signs, which can appear in the base64-encoded certificates
+     * typically received here. To avoid mangling such certificates, this
+     * function specifically avoids decoding plus signs as spaces (as would
+     * otherwise happen if URLDecoder is used directly).
     *
     * @param value
     *     The URL-encoded string to decode.
@@ -153,6 +159,13 @@ public class SSLClientAuthenticationResource extends SSOResource {
     *     If the provided value is not a valid URL-encoded string.
     */
    private byte[] decode(String value) throws GuacamoleException {
+
+        // Ensure all plus signs are decoded literally rather than as spaces
+        // (the Apache HTTPD implementation of URL escaping that applies to
+        // request headers does not encode plus signs, whereas the Nginx
+        // implementation does)
+        value = value.replace("+", "%2B");
+
        try {
            return URLDecoder.decode(value, StandardCharsets.UTF_8.name())
                    .getBytes(StandardCharsets.UTF_8);