Pipe sign delimiter in boundary parameter for GET requests not working

[FabiKo117]

When using the pipe sign delimiter to give a list of different boundaries, the current master returns a 400 - BadRequestException. The following message appears in the console when tested locally:

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

used URL to test:

https://api.ohsome.org/v1/elements/count/groupBy/boundary?bboxes=Heidelberg:8.5992,49.3567,8.7499,49.4371|Heilbronn:9.1638,49.113,9.2672,49.1766&filter=type:way and building=residential&time=2015-01-01

[FabiKo117]

It actually seems like this has been caused by a recent security update from Apache Tomcat, which does not allow some characters anymore that are non-encoded. Following a comment on stackoverflow, the pipe sign does also not work anymore within the java.net library (see bottom of this comment).

Following the suggested answer here, the approach with adding this bean is working. The question though is if we want to keep supporting something, which has been discarded by others? edit: I'd suggest we could add this fix for now and include it in the next minor release, but we should think of a bigger change regarding that for the next major release, e.g. only supporting one bbox, bpoly, bpoint OR using GeoJSON if someone wants to use 1+ boundary features.

[tyrasd]

the following upstream bug report should be related: https://bugzilla.redhat.com/show_bug.cgi?id=1397484

This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.