Description
This was tested against 2.3.1 and HEAD.
Consider this class:
@Path("/test") public class Test { @QueryParam("q") private String q; @GET public void test() { System.err.println(q); } }
Now consider this test case:
$ curl http://localhost:8080/test # prints "null" $ curl http://localhost:8080/test?q=foo # prints "foo" $ curl http://localhost:8080/test # prints "foo" !
This is a serious bug because it leaks information. It's not specific to @QueryParam, the other annotations have the same problem.
I discovered it in a resource that is used for authentication: after logging in once, I could log in again without providing a username and password!