You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/05/15 15:16:56 UTC

DO NOT REPLY [Bug 9111] New: - URL encoding fails for relative paths in contexts containing "unsafe" characters

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9111>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9111

URL encoding fails for relative paths in contexts containing "unsafe" characters

           Summary: URL encoding fails for relative paths in contexts
                    containing "unsafe" characters
           Product: Tomcat 3
           Version: 3.3.1 Final
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: alexander.lamm@livinglogic.de


I recently moved from Tomcat 3.2.3 to Tomcat 3.3.1 final.
When using a context path containing a '~' character, relative URLs within this 
context were not properly URL encoded when turning off cookies. Since this had 
worked up to now with Tomcat 3.2.3, I went searching the source code and found 
the following in org.apache.tomcat.facade.HttpServletResponseFacade:

When calling encodeURL() for a relative URL, it is made absolute based on the 
request URL retrieved by calling javax.servlet.http.HttpUtils.getRequestURL() 
on the current request object. Now, with Tomcat 3.3.1 the request object 
returns an encoded string for getRequestURI(), which is called by HttpUtils 
internally in getRequestURL(). This is due to the Servlet 2.2 Specification 
Errata (4/27/00).
Before returning the current request URI, which is already decoded, it 
therefore has to be reencoded by using the org.apache.tomcat.util.buf.UEncoder. 
UEncoder encodes all characters in a given string with the proper hexadecimal 
escape sequence except certain "safe" characters which are allowed to be 
unescaped. These "safe" characters include by default "unreserved" characters 
as defined by RFC1738. In contrast to the newer RFC2396 this "unreserved" set 
doesn't include the '~' character. The '~' in our request's path is therefore 
encoded by '%7e'.

Now that the absolute URL for the given relative one is found, it is checked if 
it contains the current request's context path. If it doesn't, no URL encoding 
is desired for this URL. But, since this context path is returned unencoded, 
there is no match between '~' in the context path and '%7e' in the absolute URL 
to encode. This means that our relative URL is not encoded as it should be.

To solve the encountered problem I propose the following patch:

Index: src/facade22/org/apache/tomcat/facade/HttpServletResponseFacade.java
===================================================================
RCS file: /home/cvspublic/jakarta-
tomcat/src/facade22/org/apache/tomcat/facade/HttpServletResponseFacade.java,v
retrieving revision 1.28
diff -u -r1.28 HttpServletResponseFacade.java
--- src/facade22/org/apache/tomcat/facade/HttpServletResponseFacade.java        
22 Mar 2002 02:54:34 -0000      1.28
+++ src/facade22/org/apache/tomcat/facade/HttpServletResponseFacade.java        
15 May 2002 07:45:04 -0000
@@ -64,6 +64,7 @@

 package org.apache.tomcat.facade;

+import org.apache.tomcat.util.buf.UDecoder;
 import org.apache.tomcat.util.res.StringManager;
 import org.apache.tomcat.util.http.*;
 import org.apache.tomcat.core.*;
@@ -416,8 +417,9 @@
            Request request = response.getRequest();
            HttpServletRequestFacade reqF=(HttpServletRequestFacade)request.
                getFacade();
-           String requrl =
-               HttpUtils.getRequestURL(reqF).toString();
+           UDecoder udecoder = request.getURLDecoder();
+           String requrl = udecoder.convert(
+               HttpUtils.getRequestURL(reqF).toString());
            try {
                url = new URL(new URL(requrl), location);
            } catch (MalformedURLException e2) {

It could be more sensible though, to change the way the current request's URL 
is retrieved, or to change UEncoder to conform to RFC2396. I don't have enough 
insight into Tomcat code and the underlying specifications to know about 
possible implications. The patch above worked for me however.

Thanks for regarding my proposal.

Alex.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>