From 47d1fa0126004db02ab2b9492e613c7b61c49fd2 Mon Sep 17 00:00:00 2001
From: Dmytro Nosan <dimanosan@gmail.com>
Date: Mon, 1 Jun 2026 22:16:13 +0200
Subject: [PATCH] Align W3CHeaderParser decoding with RFC 3986

Replace `URLDecoder.decode` with `StringUtils.uriDecode` to ensure
RFC 3986-compliant decoding. Unlike `URLDecoder`, URI decoding does
not treat `+` as a space and only decodes percent-encoded sequences.

Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
---
 .../boot/opentelemetry/autoconfigure/W3CHeaderParser.java   | 3 +--
 .../opentelemetry/autoconfigure/W3CHeaderParserTests.java   | 6 ++++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/module/spring-boot-opentelemetry/src/main/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParser.java b/module/spring-boot-opentelemetry/src/main/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParser.java
index faf4963cfa2a..268509f8752c 100644
--- a/module/spring-boot-opentelemetry/src/main/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParser.java
+++ b/module/spring-boot-opentelemetry/src/main/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParser.java
@@ -16,7 +16,6 @@
 
 package org.springframework.boot.opentelemetry.autoconfigure;
 
-import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.LinkedHashMap;
@@ -71,7 +70,7 @@ private static String percentDecode(String value) {
 		if (value.indexOf('%') == -1) {
 			return value;
 		}
-		return URLDecoder.decode(value, StandardCharsets.UTF_8);
+		return StringUtils.uriDecode(value, StandardCharsets.UTF_8);
 	}
 
 }
diff --git a/module/spring-boot-opentelemetry/src/test/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParserTests.java b/module/spring-boot-opentelemetry/src/test/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParserTests.java
index a1a1945a4034..411bde52a164 100644
--- a/module/spring-boot-opentelemetry/src/test/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParserTests.java
+++ b/module/spring-boot-opentelemetry/src/test/java/org/springframework/boot/opentelemetry/autoconfigure/W3CHeaderParserTests.java
@@ -55,8 +55,10 @@ void shouldHandleWhitespaceAroundDelimiters() {
 
 	@Test
 	void shouldPercentDecodeValues() {
-		Map<String, String> result = W3CHeaderParser.parse("serverNode=DF%2028,userId=Am%C3%A9lie");
-		assertThat(result).containsExactly(Map.entry("serverNode", "DF 28"), Map.entry("userId", "Amélie"));
+		Map<String, String> result = W3CHeaderParser
+			.parse("serverNode=DF%2028,userId=Am%C3%A9lie,application=%20spring+boot%20");
+		assertThat(result).containsExactly(Map.entry("serverNode", "DF 28"), Map.entry("userId", "Amélie"),
+				Map.entry("application", " spring+boot "));
 	}
 
 	@Test