An empty X-Forwarded-Prefix with a path containing escape sequences leads to exceptions.

Author: Andreas Kluth

spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java

@@ -96,7 +96,7 @@ public ServerHttpRequest apply(ServerHttpRequest request) {
 				builder.uri(uri);
 				String prefix = getForwardedPrefix(request);
 				if (prefix != null) {
-					builder.path(prefix + uri.getPath());
+					builder.path(prefix + uri.getRawPath());
 					builder.contextPath(prefix);
 				}
 			}

spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java

@@ -90,6 +90,22 @@ public void xForwardedPrefix() throws Exception {
 		assertForwardedHeadersRemoved(request);
 	}
 
+	@Test
+	public void emptyXForwardedPrefixShouldNotLeadToDecodedPath() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.add("X-Forwarded-Prefix", "");
+		ServerHttpRequest request = MockServerHttpRequest
+				.method(HttpMethod.GET, new URI("https://example.com/a%20b?q=a%2Bb"))
+				.headers(headers)
+				.build();
+
+		request = this.requestMutator.apply(request);
+
+		assertThat(request.getURI()).isEqualTo(new URI("https://example.com/a%20b?q=a%2Bb"));
+		assertThat(request.getPath().value()).isEqualTo("/a%20b");
+		assertForwardedHeadersRemoved(request);
+	}
+
 	@Test
 	public void xForwardedPrefixTrailingSlash() throws Exception {
 		HttpHeaders headers = new HttpHeaders();