Incorrect double-unescaping of request parameters breaks restricted mode check on view name presence

[subotaii]

Since upgrade my project from spring boot 2.4.1 to 2.4.2 (with upgrade thymeleaf-spring5-3.0.12) there is a bug when post forms with input containing '%' character (for example : "%example%").

This bug was introduced with change in class ThymeleafView method renderFragment() and the call of checkViewNameNotInRequest() :

Controllers using Forms that have percent-encoded values that cannot be decoded (that is, "%example%") in them and the controller endpoint that processes the form returns a "view :: fragment".

java.lang.IllegalArgumentException: Incomplete escaping sequence in input at org.unbescape.uri.UriEscapeUtil.unescape(UriEscapeUtil.java:617) at org.unbescape.uri.UriEscape.unescapeUriQueryParam(UriEscape.java:1702) at org.unbescape.uri.UriEscape.unescapeUriQueryParam(UriEscape.java:1668) at org.thymeleaf.spring5.util.SpringRequestUtils.checkViewNameNotInRequest(SpringRequestUtils.java:55) at org.thymeleaf.spring5.view.ThymeleafView.renderFragment(ThymeleafView.java:275) at org.thymeleaf.spring5.view.ThymeleafView.render(ThymeleafView.java:190) at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1373) at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1118) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1057) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)

At the time checkViewNameNotInRequest() is called, the request parameters are already unescaped and hence calling UriEscape.unescapeUriQueryParam()will fail for values that contain an invalid '%' escape sequence.

[subotaii]

Hello, have you any update about this issue ?

[dev321ops]

We are also affected by this issue. How can we help?

[dsavenkoGIT]

We are also affected and forced to downgrade (unable to update). It causes the error trying to save anything with % sign in the textarea in any form. You attention and resolution are appreciated.

[subotaii]

Hello, is there any news? I am still forced to downgrade version of thymeleaf...

[iHuGi]

How do i downgrade the version of thyemeleaf? Is it associated with this?

org.springframework.boot spring-boot-starter-thymeleaf

i have no idea on how to progress.

[yu-shiba]

@iHuGi If you are using gradle, you can downgrade it with the following

ext['thymeleaf.version'] = '3.0.11.RELEASE'

https://docs.spring.io/spring-boot/docs/current/gradle-plugin/reference/htmlsingle/#managing-dependencies.dependency-management-plugin.customizing

[subotaii]

@iHuGi and if you are using Maven, simply add this property in your main pom.xml :
<thymeleaf.version>3.0.11.RELEASE</thymeleaf.version>

[iHuGi]

@iHuGi If you are using gradle, you can downgrade it with the following

ext['thymeleaf.version'] = '3.0.11.RELEASE'

https://docs.spring.io/spring-boot/docs/current/gradle-plugin/reference/htmlsingle/#managing-dependencies.dependency-management-plugin.customizing

I'm using Maven, unfortunately i had to downgrade for Amazon Correto 17 to 11 and also Spring Boot to 2.4.1 since the code just would not run. Even 2.4.1 with Java 17 would throw errors somewhere. With Amazon Correto 11 and Spring Boot 2.4.1 everything is working perfectly, used Maven to clean install and build always succeeds.

Sad i like to use the latest stuff on my projects but i just can't see how to make this work now, i gotta see the comment section elsewhere to see how other people changed their code base. I have loads of thymeleaf files here unfortunately.