1 files changed, 11 insertions, 5 deletions

diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/HttpRequest.java b/container-core/src/main/java/com/yahoo/jdisc/http/HttpRequest.java
index 4ad38a9f965..598a924b327 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/HttpRequest.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/HttpRequest.java
@@ -8,14 +8,15 @@ import com.yahoo.jdisc.handler.ContentChannel;
 import com.yahoo.jdisc.handler.RequestHandler;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.service.CurrentContainer;
+import org.eclipse.jetty.http.HttpURI;
 import org.eclipse.jetty.util.MultiMap;
-import org.eclipse.jetty.util.UrlEncoded;
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.net.URI;
 import java.security.Principal;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
@@ -115,10 +116,15 @@ public class HttpRequest extends Request {
     }
 
     private static Map<String, List<String>> getUriQueryParameters(URI uri) {
-        if (uri.getRawQuery() == null) return Map.of();
-        MultiMap<String> params = new MultiMap<>();
-        UrlEncoded.decodeUtf8To(uri.getRawQuery(), params);
-        return Map.copyOf(params);
+        MultiMap<String> queryParameters = new MultiMap<>();
+        new HttpURI(uri).decodeQueryTo(queryParameters);
+
+        // Do a deep copy so we do not leak Jetty classes outside
+        Map<String, List<String>> deepCopiedQueryParameters = new HashMap<>();
+        for (Map.Entry<String, List<String>> entry : queryParameters.entrySet()) {
+            deepCopiedQueryParameters.put(entry.getKey(), new ArrayList<>(entry.getValue()));
+        }
+        return deepCopiedQueryParameters;
     }
 
     public Method getMethod() {