You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Dave Cramer <da...@fastcrypt.com> on 2001/09/16 00:53:38 UTC

Trying to use http:// in requestString

Hi,

I am using tomcat 3.3b1 and I have a url

http://host/app/control/http://www.xxx.com/path/file

The servlet is mapped to send /control/* to the class control

When I get the pathInfo it is http:/www.xxx.com/path/file . This doesn't
happen with tomcat 3.2

So I decided to change to 

Servlet mapping /control --> control

http://host/app/control?site=http://www.xxx.com/path/file

Now if I do a request.getAttribute("site"); it is null ??

The queryString is ok though

Looks like there is some processing of the path, and the attributes that
don't like // and http respectively

Is this a bug? Where is the code which is parsing the queryString, and
the attributes

Cheers,

Dave

Re: Trying to use http:// in requestString

Posted by Pier Fumagalli <pi...@betaversion.org>.

"simon colston" <si...@lexues.co.jp> wrote:

> On Sun, 16 Sep 2001 01:05:52 +0100
> Pier Fumagalli <pi...@betaversion.org> wrote:
> 
> PF> "Dave Cramer" <da...@fastcrypt.com> wrote:
> PF> 
> PF> > Fair enough, as long as it is reliable behaviour I can deal with it
> PF> 
> PF> Nope, it's not... You're not guaranteed that "//" is translated to "/" or
> PF> that "/" is translated to "//////////////", for example... They're all
> PF> equivalent. Don't rely on a specific servlet container feature...
> PF> 
> PF> The only way in which I can see that happen is using a query parameter,
> and
> PF> URL-encoding the value of that (you're guaranteed that _that_ is not going
> PF> to change, as the servlet engine doesn't have a clue of what's going on in
> PF> your query string, so it doesn't parse URLs in there).
> 
> That's fine unless the target URL has query parameters itself.  Then you find
> yourself in an complicated cycle of trying to distinguish your parameter from
> the target URL parameters, converting '?'s to '&'s, URL encoding and decoding
> parameters. (This is further complicated by multibyte character URL encoding
> which is very poorly supported up to Java 1.3.1)

Not if you URL-encode it:

http://abc.org/test?name=value

becomes

http%3a%2f%2fabc.org%2ftest%3fname%3dvale

And I don't see any problem with

http://my.dom/servlet?param=http%3a%2f%2fabc.org%2ftest%3fname%3dvale

    Pier

Re: Trying to use http:// in requestString

Posted by simon colston <si...@lexues.co.jp>.

On Sun, 16 Sep 2001 01:05:52 +0100
Pier Fumagalli <pi...@betaversion.org> wrote:

PF> "Dave Cramer" <da...@fastcrypt.com> wrote:
PF> 
PF> > Fair enough, as long as it is reliable behaviour I can deal with it
PF> 
PF> Nope, it's not... You're not guaranteed that "//" is translated to "/" or
PF> that "/" is translated to "//////////////", for example... They're all
PF> equivalent. Don't rely on a specific servlet container feature...
PF> 
PF> The only way in which I can see that happen is using a query parameter, and
PF> URL-encoding the value of that (you're guaranteed that _that_ is not going
PF> to change, as the servlet engine doesn't have a clue of what's going on in
PF> your query string, so it doesn't parse URLs in there).

That's fine unless the target URL has query parameters itself.  Then you find yourself in an complicated cycle of trying to distinguish your parameter from the target URL parameters, converting '?'s to '&'s, URL encoding and decoding parameters. (This is further complicated by multibyte character URL encoding which is very poorly supported up to Java 1.3.1)

--
simon colston
simon@lexues.co.jp

RE: Trying to use http:// in requestString

Posted by Dave Cramer <da...@fastcrypt.com>.

Pier,

Thanks, I was going to encode them, as per your suggestion.

--dc--

-----Original Message-----
From: Pier Fumagalli [mailto:pier@betaversion.org] 
Sent: September 15, 2001 8:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Trying to use http:// in requestString

"Dave Cramer" <da...@fastcrypt.com> wrote:

> Fair enough, as long as it is reliable behaviour I can deal with it

Nope, it's not... You're not guaranteed that "//" is translated to "/"
or that "/" is translated to "//////////////", for example... They're
all equivalent. Don't rely on a specific servlet container feature...

The only way in which I can see that happen is using a query parameter,
and URL-encoding the value of that (you're guaranteed that _that_ is not
going to change, as the servlet engine doesn't have a clue of what's
going on in your query string, so it doesn't parse URLs in there).

    Pier

Re: Trying to use http:// in requestString

Posted by Pier Fumagalli <pi...@betaversion.org>.

"Dave Cramer" <da...@fastcrypt.com> wrote:

> Fair enough, as long as it is reliable behaviour I can deal with it

Nope, it's not... You're not guaranteed that "//" is translated to "/" or
that "/" is translated to "//////////////", for example... They're all
equivalent. Don't rely on a specific servlet container feature...

The only way in which I can see that happen is using a query parameter, and
URL-encoding the value of that (you're guaranteed that _that_ is not going
to change, as the servlet engine doesn't have a clue of what's going on in
your query string, so it doesn't parse URLs in there).

    Pier

RE: Trying to use http:// in requestString

Posted by Dave Cramer <da...@fastcrypt.com>.

Fair enough, as long as it is reliable behaviour I can deal with it

Dave

-----Original Message-----
From: Pier Fumagalli [mailto:pier@betaversion.org] 
Sent: September 15, 2001 7:55 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Trying to use http:// in requestString


"Dave Cramer" <da...@fastcrypt.com> wrote:

> What I get with 3.2
> 
> Is http://www.xxx.com/path/file
> 
> 
> Which is what I want. I don't want the // changed to /
> 
> The application I am working on is using this path info to make a 
> connection to another site,
> 
> So it would be better left alone for me anyways

But it would introduce security bugs in URLs, the URL spec says that
after "://" all "//" are equal to "/", so relying on that behavior is
against the spec...

    Pier

Re: Trying to use http:// in requestString

Posted by Pier Fumagalli <pi...@betaversion.org>.

"Dave Cramer" <da...@fastcrypt.com> wrote:

> What I get with 3.2
> 
> Is http://www.xxx.com/path/file
> 
> 
> Which is what I want. I don't want the // changed to /
> 
> The application I am working on is using this path info to make a
> connection to another site,
> 
> So it would be better left alone for me anyways

But it would introduce security bugs in URLs, the URL spec says that after
"://" all "//" are equal to "/", so relying on that behavior is against the
spec...

    Pier

RE: Trying to use http:// in requestString

Posted by Dave Cramer <da...@fastcrypt.com>.

What I get with 3.2 

Is http://www.xxx.com/path/file

Which is what I want. I don't want the // changed to /

The application I am working on is using this path info to make a
connection to another site,

So it would be better left alone for me anyways

Dave

"Dave Cramer" <da...@fastcrypt.com> wrote:

> Hi,
> 
> I am using tomcat 3.3b1 and I have a url
> 
> http://host/app/control/http://www.xxx.com/path/file
> 
> The servlet is mapped to send /control/* to the class control
> 
> When I get the pathInfo it is http:/www.xxx.com/path/file . This 
> doesn't happen with tomcat 3.2

This seems to be right... (AKA 3.2 is buggy). From an URL perspective

http://host/app/control/http://www.xxx.com/path/file
And 
http://host/app/control/http:/www.xxx.com/path/file
Are exactly the same...

> So I decided to change to
> 
> Servlet mapping /control --> control
> 
> http://host/app/control?site=http://www.xxx.com/path/file
> 
> Now if I do a request.getAttribute("site"); it is null ??
> 
> The queryString is ok though
> 
> Looks like there is some processing of the path, and the attributes 
> that don't like // and http respectively
> 
> Is this a bug? Where is the code which is parsing the queryString, and

> the attributes

I believe you should URLencode that parameter....

    Pier

Re: Trying to use http:// in requestString

Posted by Pier Fumagalli <pi...@betaversion.org>.

"Dave Cramer" <da...@fastcrypt.com> wrote:

> Hi,
> 
> I am using tomcat 3.3b1 and I have a url
> 
> http://host/app/control/http://www.xxx.com/path/file
> 
> The servlet is mapped to send /control/* to the class control
> 
> When I get the pathInfo it is http:/www.xxx.com/path/file . This doesn't
> happen with tomcat 3.2

This seems to be right... (AKA 3.2 is buggy). From an URL perspective

http://host/app/control/http://www.xxx.com/path/file
And 
http://host/app/control/http:/www.xxx.com/path/file
Are exactly the same...

> So I decided to change to
> 
> Servlet mapping /control --> control
> 
> http://host/app/control?site=http://www.xxx.com/path/file
> 
> Now if I do a request.getAttribute("site"); it is null ??
> 
> The queryString is ok though
> 
> Looks like there is some processing of the path, and the attributes that
> don't like // and http respectively
> 
> Is this a bug? Where is the code which is parsing the queryString, and
> the attributes

I believe you should URLencode that parameter....

    Pier