You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/03/01 22:58:37 UTC
[Bug 62150] New: Relative Paths have changd
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Bug ID: 62150
Summary: Relative Paths have changd
Product: Tomcat 8
Version: 8.5.16
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: myron.uecker@tylertech.com
Target Milestone: ----
It appears that relative paths now resolve differently on the request URI when
forwarding between pages.
Prior to 8.5.16, if you were currently at a url of the form:
test/mypage.jsp
and you attempted to forward the request to another page using a relative path,
you could use
../test/mypage2.jsp
The Request URI would resolve to
test/mypage2.jsp
After 8.5.16, the Request URI now resolves to
test/../test/mypage2.jsp
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
Created attachment 35750
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35750&action=edit
Patch
Ok, I think it is risky to not use the normalized path instead. r1799115 which
changed this is still kind of odd to me, so I'll let Mark review the thing.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Behavior of relative paths with RequestDispatcher has
changed
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #8 from Mark Thomas <ma...@apache.org> ---
Reviewing this, I am resolving it as WONTFIX.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
--- Comment #4 from Remy Maucherat <re...@apache.org> ---
Using a relative path to get the RD is not bad. However, far more unusual is
using the requestURI, since you have to deal with annoying stuff when you do
that (URL encoding ...).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
It maybe that the scope of r1799115 that was intended to fix Bug 61185 was a
little too wide. I'll take a look.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
--- Comment #3 from Myron Uecker <my...@tylertech.com> ---
It was one of those questionable decisions somebody made years ago in our code
to use relative paths for navigation that no longer works after that change.
Thank you for looking at this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Indeed. The behaviour of getRequestURI() is at the root of this bug report and
bug 61185.
In terms of guidance from the spec, what we have is:
- getRequestURI() Returns the part of this request's URL from the protocol name
up to the query string in the first line of the HTTP request. The web container
does not decode this String.
- For forward(), the path elements of the request object exposed to the target
servlet must reflect the path used to obtain the RequestDispatcher.
The implication that the value returned by getRequestURI() is unencoded is that
it is also not normalized. This is because, for untrusted URIs, you have to
decode first to ensure any encoded '.' or '/' characters are correctly handled.
Note that for a RequestDispatcher we have a little more leeway because the
paths are trusted.
Bug 61185 was, essentially, that if an encoded path was used to obtain a
RequestDispatcher then when getRequestURI() was called it should return that
original, encoded path.
By extension, if a non-normalized absolute path is used to obtain a request
dispatcher then the expectation is that, for a forward(), getRequestURI()
should return that original, non-normalized path.
Where things get tricky is when a RequestDispatcher is obtained via a relative
path. Which path should the relative path be resolved against (original or
decoded + normalized) and should the path be normalized after it has been made
absolute?
Maybe some examples will help:
Original RD Path URI after forward()
/aaa/bbb zzz /aaa/zzz
/aaa/../bbb zzz /zzz
/aaa/../zzz
/aaa/bbb ../zzz /zzz
/aaa/../zzz
/aaa/bbb/../ccc zzz/xxx/../yyy /aaa/bbb/../zzz/xxx/../yyy
/aaa/zzz/xxx/../yyy
/aaa/zzz/yyy
Looking at these I'm leaning towards the current behaviour as being closest to
the intention of the spec but I confess that is a purely subjective judgement.
Feedback and further thoughts on the above welcome.
If we do want to normalize something here, I do think the proposed patch isn't
quite right as a RequestDispatcher obtained with a non-normalized path would
not then return that non-normalized path for getRequestURI() after a forward.
If we go this route I think the normalization would need to be earlier.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Relative Paths have changd
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
--- Comment #6 from Remy Maucherat <re...@apache.org> ---
Ok, so the option is to put a normalize step in Request.getRequestDispatcher if
this is a relative path. The problem is it's a bit more annoying to do it
earlier as it needs splitting the query string before putting it back.
If you think it is compliant, let's do nothing. Or it could be something
optional with a config setting (there's context.getDispatchersUseEncodedPaths
too). I'll update the bug to be a possible enhancement.
Overall, the spec provides requestURI, but it's mostly useless as you have to
replicate the same complex processing on it that the container does to avoid
security problems.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Behavior of relative paths with RequestDispatcher has
changed
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Manish Kumar Sharma <ma...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |manishks344@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Behavior of relative paths with RequestDispatcher has
changed
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
--- Comment #7 from Remy Maucherat <re...@apache.org> ---
*** Bug 62851 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62150] Behavior of relative paths with RequestDispatcher has
changed
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62150
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Relative Paths have changd |Behavior of relative paths
| |with RequestDispatcher has
| |changed
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org