You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/10/25 13:30:37 UTC

DO NOT REPLY [Bug 13969] New: - ':' in parameter breaks encodeURL() and encodeRedirectURL()

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13969>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13969

':' in parameter breaks encodeURL() and encodeRedirectURL()

           Summary: ':' in parameter breaks encodeURL() and
                    encodeRedirectURL()
           Product: Tomcat 4
           Version: 4.1.10
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: boris@folgmann.de


A DESCRIPTION OF THE PROBLEM :
The ':' characted is not encoded properly by encodeURL() or
redirectURL(). In fact it seems to confuse the method a lot.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Try this inside a JSP:
<%
response.sendRedirect(response.encodeRedirectURL("bug.jsp?ready=Saturday
04:30")); %>

2. Load the page in your browser
3. See the totally wrong encoded URL in the adress field

EXPECTED VERSUS ACTUAL BEHAVIOR :
The above URL should be encoded to:
http://localhost:8081/bug.jsp?ready=Saturday%2004%3A30

In fact it's encoded to:
http://localhost:8081/bug.jsp?ready=saturday%2004:?ready=Saturday%2004:30

RESULTING PROBLEMS:
With this more or less destroyed URL the redirect or an <a href=""> don't work
if an : is passed through a CGI parameter. Problems get even worse, if you have
to rely on the sessionid in the URL.


REPRODUCIBILITY :
This bug can be reproduced always.

Try this demo.jsp:
<%@page contentType="text/html"%>
<% response.sendRedirect(response.encodeRedirectURL("bug.jsp?ready=Saturday
04:30")); %>

JDK:
java version "1.4.1"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-b21)
Java HotSpot(TM) Client VM (build 1.4.1-b21, mixed mode)
Java 2 Enterprise Edition version 1.3.1, build 1.3.1-b17

OPERATING SYSTEM:
Red Hat Linux release 8.0 (Psyche)
Linux 2.4.18-17.8.0 #1 Tue Oct 8 13:51:08 EDT 2002 i686 i686 i386 GNU/Linux
glibc-2.2.93-5

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>