[QIWI Wallet] A bug: a «PUT api.qiwi.com/api/v2/prv/{prv_id}/bills/{bill_id}» request fails when the {bill_id} parameter contains an URL-encoded slash (%2F) despite the API specification does not forbid any characters in {bill_id}

bug
qiwi-wallet
qiwi-wallet-api
(Dmitry Fedyuk) #1

The API specification states (looks like mistakenly) that any characters are allowed in the {bill_id} parameter of the PUT api.qiwi.com/api/v2/prv/{prv_id}/bills/{bill_id} API request.

But if {bill_id} contains an URL-encoded slash (%2F), then the PUT api.qiwi.com/api/v2/prv/{prv_id}/bills/{bill_id} API request fails with the message «300 - Technical error» («300 - Техническая ошибка»).

An example:

It will succeed: PUT /api/v2/prv/488380/bills/649

It will fail: PUT /api/v2/prv/488380/bills/649%2F

0 Likes

[QIWI Wallet] The API specification states (looks like mistakenly) that any characters are allowed in the {bill_id} parameter of the «PUT api.qiwi.com/api/v2/prv/{prv_id}/bills/{bill_id}» API request
(Dmitry Fedyuk) #2

I have got a response from the QIWI Wallet support:

Суть в том, что веб-сервер Jetty декодит path и тем самым заменяет %2F на / ещё до того, как запрос попадёт в код процессинга.
Детали в org.eclipse.jetty.util.URIUtil#decodePath(java.lang.String, int, int)
Cлеш в обычном виде / и в encoded %2F передавать не получится.

0 Likes