You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Phil Hanna <au...@philhanna.com> on 2000/05/18 03:58:34 UTC

Partial fix for URL rewriting bug in HttpServletResponseFacade.java

The isEncodeable() method compares two URL's component-wise, including port number.  However, the java.net.URL getHost() method correctly returns -1 for the default port when it is not specified.  request.getServerPort() return 80.  This results in a mismatch where one should not occur.

My patch converts -1 to the default value of 80 in both cases before the comparison.

Note: This doesn't fix the encodeURL() problem that occurs when cookies are turned off.  Is there some reason why the jsessionid is encoded with ";" instead of "?"?  JRun treats the session ID parameter like any other parameter, and it seems to work fine.

P.S.: Is bugzilla still down?  Is tomcat-dev the preferred place to submit patches in the meantime?

--- HttpServletResponseFacade.java Sat May 13 20:21:38 2000
+++ HttpServletResponseFacade.java.new Wed May 17 21:46:42 2000
@@ -297,7 +297,13 @@
      return (false);
  if (!request.getServerName().equalsIgnoreCase(url.getHost()))
      return (false);
- if (request.getServerPort() != url.getPort())
+ int serverPort = (request.getServerPort() == -1)
+            ? 80
+            : request.getServerPort();
+ int urlPort = (url.getPort() == -1)
+            ? 80
+            : url.getPort();
+ if (serverPort != urlPort)
      return (false);
  String contextPath = request.getContext().getPath();
  if ((contextPath != null) && (contextPath.length() > 0)) {

Re: Partial fix for URL rewriting bug in HttpServletResponseFacade.java

Posted by Hans Bergsten <ha...@gefionsoftware.com>.

Phil Hanna wrote:
> [...]
> Note: This doesn't fix the encodeURL() problem that occurs when cookies are 
> turned off.  Is there some reason why the jsessionid is encoded with ";" 
> instead of "?"?  JRun treats the session ID parameter like any other parameter, 
> and it seems to work fine.

The reason is that jsessionid is a "path parameter" (the term used in the HTTP
spec) as opposed to a regular query string parameter, exactly as specified in
the Servlet 2.2 spec. Using a query string parameter for the session ID doesn't
work in all cases, such as if you encode the URL for a <img src> tag and use an
image map (some browsers just adds "?x=12&y=34" query string params, creating an
invalid URL like "/myimage.gif?jsessionid=1234?x=12&y=34"), or when you encode
a URL like "/foo.jsp?foo=bar" (ends up as "/foo.bar?jsessionid=1234?foo=bar").

JRun is, in other words, wrong. I sent them a bug report about this a while
back but I'm not sure if it's fixed in JRun 3.0.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com