Parameter string returned by `getQueryParameterString` persist between requests

NanoHttpd / nanohttpd

Tiny, easily embeddable HTTP server in Java.

http://nanohttpd.org

BSD 3-Clause "New" or "Revised" License

6.96k stars 1.7k forks source link

Parameter string returned by `getQueryParameterString` persist between requests #596

Open yurijmikhalevich opened 3 years ago

yurijmikhalevich commented 3 years ago

Steps to reproduce:

Send GET /something?param=value to the NanoHTTPD server
Send GET /whatever to the NanoHTTPD server
Observe, that session.getQueryParameterString() will return param=value for both requests.

yurijmikhalevich commented 3 years ago

Looks like decodeParams should be called here unconditionally: https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L156-L157

Since decodeParams can handle missing params well on its own: https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L306-L310

Alternatively, we can this.queryParameterString = ""; before the check on L156 in HTTPSession.java.

yurijmikhalevich commented 3 years ago

If anyone stumbles upon this, you can work around this by nullifying session.queryParameterString after you've processed the request with the following code:

Field queryParameterStringField = session.getClass().getDeclaredField("queryParameterString");
queryParameterStringField.setAccessible(true);
queryParameterStringField.set(session, null);