Download of files impossible (Windows).

[rhe-reliatec]

Description:

Install LibreClinica on Windows (10 professional, also Win11). It is not possible to download previously uploaded files. The download-urls are not encoded at all. Therefore they contain invalid characters.
The only thing you get back is an error-page:

HTTP Status 400 – Bad Request

Type Exception Report

Message Invalid character found in the request target [/LibreClinica/DownloadAttachedFile?eventCRFId=7&fileName=./theuploads/attached_files\S_LCSTUDY\_Screenshot_2023_11_23_181045617A9CAC9B5DBAB7E65B5CEDABB40DFBE1481377_8287568368932741925.png]. The valid characters are defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request target [/LibreClinica/DownloadAttachedFile?eventCRFId=7&fileName=./theuploads/attached_files\S_LCSTUDY\_Screenshot_2023_11_23_181045617A9CAC9B5DBAB7E65B5CEDABB40DFBE1481377_8287568368932741925.png]. The valid characters are defined in RFC 7230 and RFC 3986
	org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Thread.java:748)

Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/9.0.41

Furthermore if you use in datainfo.properties the default for filePath

filePath=${catalina.home}/${WEBAPP.lower}.data/

the not valid url contains the full path of the uploaded file. 'Heresay' says this is something that should be avoided for security reasons.

Requirements:
A Study with a crf, which contains a file-upload-field.

Steps to follow:

• login
• open the CRF in DataEntry mode
• upload a file
• click save
• leave the crf
• open the CRF in DataEntry mode again
• click the download link
• admire the error page

Expected result:
I want may file back.

Actual result:
A tomcat errorpage (text is in Destription).

Server Setup (optional):

• OS [Windows]
• Application Server [e.g. Tomcat-9]
• Libreclinica 1.0 ... Libreclinica 1.2.1

[toskrip]

The DownloadAttachedFile servlet is actually not using the path to file provided in download URL but only the filename is extracted from this path (the absolute path is constructed on server side from scratch). IMHO the better solution would be to pass in download URL only an ID (that would be item_data_id) which is then resolved on server side to locate the actual uploaded file.