ForwardedHeaderTransformer handles encoding correctly

Issue: SPR-17525

ForwardedHeaderTransformer handles encoding correctly
Issue: SPR-17525
7e9857a6 · Rossen Stoyanchev · 0134c9d6 · 7e9857a6 · 7e9857a6
2 changed file
--- a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
+++ b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
@@ -22,6 +22,7 @@ import java.util.Locale;
 import java.util.Set;
 import java.util.function.Function;

+import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.lang.Nullable;
@@ -36,6 +37,12 @@ import org.springframework.web.util.UriComponentsBuilder;
 * <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true",
 * then "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
 *
+ * <p>An instance of this class is typically declared as a bean with the name
+ * "forwardedHeaderTransformer" and detected by
+ * {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it
+ * can also be registered directly via
+ * {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}.
+ *
 * @author Rossen Stoyanchev
 * @since 5.1
 * @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>
@@ -85,7 +92,7 @@ public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, S
 		if (hasForwardedHeaders(request)) {
 			ServerHttpRequest.Builder builder = request.mutate();
 			if (!this.removeOnly) {
-				URI uri = UriComponentsBuilder.fromHttpRequest(request).build().toUri();
+				URI uri = UriComponentsBuilder.fromHttpRequest(request).build(true).toUri();
 				builder.uri(uri);
 				String prefix = getForwardedPrefix(request);
 				if (prefix != null) {

--- a/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java
@@ -21,6 +21,7 @@ import java.net.URI;
 import org.junit.Test;

 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.mock.http.server.reactive.test.MockServerHttpRequest;

@@ -100,6 +101,23 @@ public class ForwardedHeaderTransformerTests {
 		assertForwardedHeadersRemoved(request);
 	}

+	@Test // SPR-17525
+	public void shouldNotDoubleEncode() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.add("Forwarded", "host=84.198.58.199;proto=https");
+
+		ServerHttpRequest request = MockServerHttpRequest
+				.method(HttpMethod.GET, new URI("http://example.com/a%20b?q=a%2Bb"))
+				.headers(headers)
+				.build();
+
+		request = this.requestMutator.apply(request);
+
+		assertEquals(new URI("https://84.198.58.199/a%20b?q=a%2Bb"), request.getURI());
+		assertForwardedHeadersRemoved(request);
+	}
+
+
 	private MockServerHttpRequest getRequest(HttpHeaders headers) {
 		return MockServerHttpRequest.get(BASE_URL).headers(headers).build();
 	}