diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index 2c93da9716..6e458d3b88 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,3 +1,4 @@ - Fix: missing lastSuccess/lastFailure associated to initial notification on subscription creation some times when csub cache is in use (#2974) - Fix: several invalid memory accesses (based on a workaround, not a definitive solution, see issue #2994) - Add: release_date and doc fields are added to the GET /version output to align with FIWARE scheme (#2970) +- Fix: broken JSON due to unscaped quotes (") in NGSIv2 error description field (#2955) \ No newline at end of file diff --git a/src/lib/rest/OrionError.cpp b/src/lib/rest/OrionError.cpp index cb0fa7ab31..e7f8271bf0 100644 --- a/src/lib/rest/OrionError.cpp +++ b/src/lib/rest/OrionError.cpp @@ -125,7 +125,18 @@ std::string OrionError::setStatusCodeAndSmartRender(ApiVersion apiVersion, HttpS */ std::string OrionError::toJson(void) { - return "{" + JSON_STR("error") + ":" + JSON_STR(reasonPhrase) + "," + JSON_STR("description") + ":" + JSON_STR(details) + "}"; + std::string out; + char* reasonPhraseEscaped = htmlEscape(reasonPhrase.c_str()); + char* detailsEscaped = htmlEscape(details.c_str()); + + out += "{" + JSON_VALUE("error", reasonPhraseEscaped); + out += ","; + out += JSON_VALUE("description", detailsEscaped) + "}"; + + free(reasonPhraseEscaped); + free(detailsEscaped); + + return out; } diff --git a/test/functionalTest/cases/2955_quote_in_url_not_escaped/quote_in_url_not_escaped.test b/test/functionalTest/cases/2955_quote_in_url_not_escaped/quote_in_url_not_escaped.test new file mode 100644 index 0000000000..2b98514a05 --- /dev/null +++ b/test/functionalTest/cases/2955_quote_in_url_not_escaped/quote_in_url_not_escaped.test @@ -0,0 +1,53 @@ +# Copyright 2013 Telefonica Investigacion y Desarrollo, S.A.U +# +# This file is part of Orion Context Broker. +# +# Orion Context Broker is free software: you can redistribute it and/or +# modify it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# Orion Context Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero +# General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Orion Context Broker. If not, see http://www.gnu.org/licenses/. +# +# For those usages not covered by this license please contact with +# iot_support at tid dot es + +# VALGRIND_READY - to mark the test ready for valgrindTestSuite.sh + +--NAME-- +Quote in URL not escaped + +--SHELL-INIT-- +dbInit CB +brokerStart CB + +--SHELL-- + +echo "0: ++++++++++++++++++++" +orionCurl --url '/v2/entities?foo\"' +echo +echo + +--REGEXPECT-- +0: ++++++++++++++++++++ +HTTP/1.1 400 Bad Request +Content-Length: 86 +Content-Type: application/json +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Date: REGEX(.*) + +{ + "description": "Empty right-hand-side for URI param /foo"/", + "error": "BadRequest" +} + + +--TEARDOWN-- +brokerStop CB +dbDrop CB