Not sure this is the right place for this.
Seems like any ‘%’ in the source string that isn’t a URL encoding produces this error.
dump(canonicalize('9%', false, false));
This bug appears to be related to ESAPI 2.2.4.15 as we’ve never had this error before. Rolling back to 2.2.4.13 fixes it.
Tested on two different systems
Platform: Mac
Java: 11.0.21
Lucee: 5.4.3.16
Platform: Ubuntu 22.04
Java: 11.0.20.1
Lucee: 5.3.11.5
"URLDecoder: Incomplete trailing escape (%) pattern;lucee.runtime.exp.NativeException: URLDecoder: Incomplete trailing escape (%) pattern
- /private/canontest.cfm:3
- /Application.cfc:96
at java.base/java.net.URLDecoder.decode(Unknown Source)
at java.base/java.net.URLDecoder.decode(Unknown Source)
at org.lucee.extension.esapi.functions.Canonicalize.call(Canonicalize.java:48)
at org.lucee.extension.esapi.functions.Canonicalize.invoke(Canonicalize.java:70)
at lucee.runtime.functions.FunctionHandlerPool.invoke(FunctionHandlerPool.java:40)
at _private.canontest_cfm$cf.call(/private/canontest.cfm:3)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1025)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:929)
at application_cfc$cf.udfCall(/Application.cfc:96)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.call(UDFImpl.java:223)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:664)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:586)
at lucee.runtime.ComponentImpl.call(ComponentImpl.java:1933)
at lucee.runtime.listener.ModernAppListener.call(ModernAppListener.java:444)
at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:218)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:44)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2493)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2478)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2449)
at lucee.runtime.engine.Request.exe(Request.java:45)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1216)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1162)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:405)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at runwar.undertow.SSLClientCertHeaderHandler.handleRequest(SSLClientCertHeaderHandler.java:144)
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityCo
– very long stack, omitted 2542 bytes