You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Stig Kleppe-Jørgensen <fr...@nisgits.net> on 2008/11/18 16:26:26 UTC

Relative redirect with sendRedirect(...)

Hi,

Am I completely mistaken when thinking that an URL like "../../go/here" is
covered under the term relative? 

If not, why doesn't a HttpServletResponse.sendRedirect("../../go/here")
work? As far as I can read from the servlet spec, the servlet engine _must_
resolve relative redirects before sending the redirect back to the browser.
But as far as I can tell, Tomcat does not do this. And furthermore, the
watchdog tests does not have a test for this.


Regards,
Stig Kleppe-Jørgensen
-- 
View this message in context: http://www.nabble.com/Relative-redirect-with-sendRedirect%28...%29-tp20561735p20561735.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Relative redirect with sendRedirect(...)

Posted by Mark Thomas <ma...@apache.org>.

Stig Kleppe-Jørgensen wrote:
>>> If not, why doesn't a HttpServletResponse.sendRedirect("../../go/here")
>>> work? As far as I can read from the servlet spec, the servlet engine
>>> _must_
>>> resolve relative redirects before sending the redirect back to the
>>> browser.
>>> But as far as I can tell, Tomcat does not do this. And furthermore, the
>>> watchdog tests does not have a test for this.
> 
>> Where were you when you issued the redirect?
> 
> I stand in this url:
> 
> http://<host>/<servletpath>/ication/test/fr/ca
> 
> and want to go to this url:
> 
> http://<host>/<servletpath>/ibs/name/test.jar
> 
> When calling 
> 
> httpresponse.sendRedirect("../../../../ibs/name/test.jar")
> 
> Tomcat generates this url:
> 
> http://<host>/<servletpath>/ication/test/fr/ca/../../../../ibs/name/test.jar

Which is perfectly legal. The spec says the URL must be fully qualified /
absolute. It does not say it has to be normalised.

> The same worked in Jetty.

Which is also perfectly legal and spec compliant.

Mark




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Relative redirect with sendRedirect(...)

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stig,

Stig Kleppe-Jørgensen wrote:
> I stand in this url:
> 
> http://<host>/<servletpath>/ication/test/fr/ca
> 
> and want to go to this url:
> 
> http://<host>/<servletpath>/ibs/name/test.jar

Why not just use absolute URLs?

httpResponse.sendRedirect(response.encodeRedirectURL("/ibs/name/test.jar"));

> When calling 
> 
> httpresponse.sendRedirect("../../../../ibs/name/test.jar")

That's too many ".." by the way, unless your original URL up at the top
of the message was a path without a resource (i.e. it should have been
.../ca/something).

Taking /<servletpath>/ication/test/fr/ca and applying 4 ".." to it gives
you:

/

:(

> Tomcat generates this url:
> 
> http://<host>/<servletpath>/ication/test/fr/ca/../../../../ibs/name/test.jar

And what does your client (browser) do with this URL?

> The same worked in Jetty.

I'll bet this works in Jetty because Jetty actually does the
normalization, and won't let you redirect a relative path outside of the
current webapp. Try putting "../../../../../../../../../../../../.."
into Jetty and see if it still works.

With Tomcat, the client (browser) is left to interpret the URL and
normalize the path. I'm assuming it does it correctly and sends the user
to http://<host>/ibs/name/test.jar which, I would imagine, does not exist.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkkJLQACgkQ9CaO5/Lv0PBl0QCfSbnPbcSHGJbsk9TjItURlo5B
/UUAnRGbafBUFrSChPfcByG1TB8Ux+2I
=IVdu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Relative redirect with sendRedirect(...)

Posted by Stig Kleppe-Jørgensen <fr...@nisgits.net>.

>> If not, why doesn't a HttpServletResponse.sendRedirect("../../go/here")
>> work? As far as I can read from the servlet spec, the servlet engine
>> _must_
>> resolve relative redirects before sending the redirect back to the
>> browser.
>> But as far as I can tell, Tomcat does not do this. And furthermore, the
>> watchdog tests does not have a test for this.

> Where were you when you issued the redirect?

I stand in this url:

http://<host>/<servletpath>/ication/test/fr/ca

and want to go to this url:

http://<host>/<servletpath>/ibs/name/test.jar

When calling 

httpresponse.sendRedirect("../../../../ibs/name/test.jar")

Tomcat generates this url:

http://<host>/<servletpath>/ication/test/fr/ca/../../../../ibs/name/test.jar

The same worked in Jetty.

Regards,
Stig
-- 
View this message in context: http://www.nabble.com/Relative-redirect-with-sendRedirect%28...%29-tp20561735p20578482.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Relative redirect with sendRedirect(...)

Posted by Mark Thomas <ma...@apache.org>.

Stig Kleppe-Jørgensen wrote:
> Hi,
> 
> Am I completely mistaken when thinking that an URL like "../../go/here" is
> covered under the term relative? 

No. You are correct.

> If not, why doesn't a HttpServletResponse.sendRedirect("../../go/here")
> work? As far as I can read from the servlet spec, the servlet engine _must_
> resolve relative redirects before sending the redirect back to the browser.
> But as far as I can tell, Tomcat does not do this. And furthermore, the
> watchdog tests does not have a test for this.

Where were you when you issued the redirect?

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org