You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/07/09 19:00:35 UTC

[Bug 53062] Tomcat doesn't normalize absolute urls for redirect

https://issues.apache.org/bugzilla/show_bug.cgi?id=53062

--- Comment #6 from Konstantin Preißer <pr...@web.de> ---
Hi,

it seems that the URL normalization which has been added to Tomcat 7.0.28
includes the querystring part of the URL in the normalization process.

I'm not 100% sure if the character '/' is allowed to appear unencoded in the
query string part, but according to some sites which reference RFC 3986 [1], it
is.

Although most commonly used URL-encoding methods (like
java.net.URLEncoder.encode()) encode the '/' character as "%2F", it maybe
possible that some applications use that char directly in a querystring, which
is then given to response.sendRedirect().

Imaging a servlet available at URL

    http://localhost/Test/SomeServlet

calls

    response.sendRedirect("OtherServlet?someText=A/../B");

then the resulting HTTP 302 header will be:

    Location: http://localhost/Test/B

instead of

    Location: http://localhost/Test/OtherServlet?someText=A/../B

so the querystring part is unintentionally modified. Maybe this needs to be
fixed?


[1]
http://www.456bereastreet.com/archive/201008/what_characters_are_allowed_unencoded_in_query_strings/

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org