You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/07/09 19:00:35 UTC
[Bug 53062] Tomcat doesn't normalize absolute urls for redirect
https://issues.apache.org/bugzilla/show_bug.cgi?id=53062
--- Comment #6 from Konstantin Preißer <pr...@web.de> ---
Hi,
it seems that the URL normalization which has been added to Tomcat 7.0.28
includes the querystring part of the URL in the normalization process.
I'm not 100% sure if the character '/' is allowed to appear unencoded in the
query string part, but according to some sites which reference RFC 3986 [1], it
is.
Although most commonly used URL-encoding methods (like
java.net.URLEncoder.encode()) encode the '/' character as "%2F", it maybe
possible that some applications use that char directly in a querystring, which
is then given to response.sendRedirect().
Imaging a servlet available at URL
http://localhost/Test/SomeServlet
calls
response.sendRedirect("OtherServlet?someText=A/../B");
then the resulting HTTP 302 header will be:
Location: http://localhost/Test/B
instead of
Location: http://localhost/Test/OtherServlet?someText=A/../B
so the querystring part is unintentionally modified. Maybe this needs to be
fixed?
[1]
http://www.456bereastreet.com/archive/201008/what_characters_are_allowed_unencoded_in_query_strings/
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org