telefonicaid · fgalan · Feb 12, 2016 · Feb 11, 2016 · Feb 12, 2016 · kzangeli
diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE
@@ -16,3 +16,5 @@
 - Add: type param for POST entity in v2 (Issue #982, #984)
 - Add: support for geo:point type as a way of specifying location attribute in NGSIv2 (Issue #1038)
 - Add: type param for PUT entity in v2 (Issue #988, #992, #1000)
+- Fix: not detecting forbidden chars in entityID for PATCH v2 (Issue #1782)
+
diff --git a/src/lib/serviceRoutinesV2/patchEntity.cpp b/src/lib/serviceRoutinesV2/patchEntity.cpp
@@ -28,7 +28,7 @@
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
 #include "common/errorMessages.h"
-
+#include "parse/forbiddenChars.h"
 #include "rest/ConnectionInfo.h"
 #include "ngsi/ParseData.h"
 #include "apiTypesV2/Entities.h"
@@ -71,6 +71,12 @@ std::string patchEntity
   eP->id = compV[2];
   eP->type = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, eP->id.c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, "invalid character in URI");
+    return oe.render(ciP, "");
+  }
+
   // 01. Fill in UpdateContextRequest
   parseDataP->upcr.res.fill(eP, "UPDATE");
 

diff --git a/...nctionalTest/cases/1782_forbidden_char_id_uri_patch/1782_forbidden_char_id_uri_patch.test b/...nctionalTest/cases/1782_forbidden_char_id_uri_patch/1782_forbidden_char_id_uri_patch.test
@@ -0,0 +1,60 @@
+# Copyright 2016 Telefonica Investigacion y Desarrollo, S.A.U
+#
+# This file is part of Orion Context Broker.
+#
+# Orion Context Broker is free software: you can redistribute it and/or
+# modify it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# Orion Context Broker is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with Orion Context Broker. If not, see http://www.gnu.org/licenses/.
+#
+# For those usages not covered by this license please contact with
+# iot_support at tid dot es
+
+# VALGRIND_READY - to mark the test ready for valgrindTestSuite.sh
+
+--NAME--
+PATCH /v2/entities/E& forbidden chars in ID
+
+--SHELL-INIT--
+dbInit CB
+brokerStart CB
+
+--SHELL--
+
+#
+# 01. PATCH entity with forbidden char in ID
+#
+
+echo "01. PATCH entity with forbidden char in ID"
+echo "=========================================="
+payload='{ "attr1": 1 }'
+orionCurl --url '/v2/entities/E&?options=keyValues' -X PATCH --payload "$payload" --json
+echo
+echo
+
+
+--REGEXPECT--
+01. PATCH entity with forbidden char in ID
+==========================================
+HTTP/1.1 400 Bad Request
+Content-Length: 63
+Content-Type: application/json
+Date: REGEX(.*)
+
+{
+    "description": "invalid character in URI",
+    "error": "BadRequest"
+}
+
+
+--TEARDOWN--
+brokerStop CB
+dbDrop CB