Mark Thomas wrote:
On 18/02/2013 09:54, Rainer Jung wrote:
On 17.02.2013 23:57, André Warnier wrote:
Otherwise, my feeling is that it will cost you quite a number of beers
to stop Mark from fixing what could potentially be a security issue, now
that he's sniffed it.
:)
Not sure whether Mark's sniffing changes based on the fact that we are
now talking about the AJP part of the connectors.
It does mean I'm rather less concerned since that explains why the
request wasn't rejected with a 400 response.
Well, the OP did not specifically test with the HTTP Connector, but it doesn't mean that
the issue is not there too..
I still want to look at this to understand why getRequestURI() is
behaving the way it is. There might still be a bug here.
Looks like getRequestURI() is behaving according to the Javadocs though, by providing the
original request line undecoded, "as is". The issue is that the request should probably
not even get to the point where it can be retrieved by getRequestURI(), no ?
The beer question is still open..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
