-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 10/12/17 8:44 PM, James H. H. Lampert wrote:
> Question:
>
> The application we're developing has a suite of web services
> (RESTful, Swagger-based), and at least one of them can accept a
> pound sign ("#") as a URL parameter.
>
> Several months ago, with the application and all of its services
> running on Tomcat 7, it was accepting a plain, naked # in the URL.
> Now, running on Tomcat 8.5, it's returning an error message
> ("HTTP/1.1 400").
No client should ever send a naked # to a server. It's a violation of
the spec, full stop. That isn't to say that Tomcat should fail in any
particular way, but Tomcat is well within its rights to say "a # is
not allowed in a URL, so this is a bad request".
> The developer (in a different time zone) has explained about
> URL-encoding, but hasn't said whether there was anything in his
> code to make it stop tolerating the naked # sign.
>
> Did the change from Tomcat 7 to Tomcat 8.5 have anything to do
> with this?
Each version of Tomcat gets more and more strict about the garbage it
will accept from clients. This is done to improve the world as a
whole, and also improve security when it comes to things like
converting URL paths into filesystem paths, etc. Strictly speaking,
everything should *always* be safe, but it helps to stop The Badness
at the earliest opportunity.
> And if so, are there any other common ASCII characters that used
> to be accepted as characters, but now have to be URL-encoded?
Anything in the URL spec that is allowed should be allowed. Clients
should expect that anything not mentioned in the spec would be
rejected by a compliant server.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJRsACgkQHPApP6U8
pFhqMg//cP4U9z0v8AzkdGRfWJilIAVdsgbA8fdfqTM0f542GzHo4tWidx6F89zK
y2oVxz9Fr4RQev2Dgr5DyPrJnv2JYufe2S3AxBltA1jQQCu6GnqEjgzxlvmrGY05
hhrBYBBOgBudgLXcK4bHuoIk+W5ke1Hc1n94WqyVDq2EJZUibKLJLGo3nsAItBcS
a7jFitbzAQT/0fX/Nzo/LFanNNLenOkoKxZA0KyqzDYiwOGcsLLukOIV1AOiWgEU
cy4dFhYkixoi8lfs5SjivNknp5tDJSq6Rf3UYChkXUcwQUTVA45AecRWvaEihwjr
fFN91h9AVKXoVBVNjPYLKS7K7ODahR6oLNqta/2aji4QgCBnyfrPvopIG7e6fbM8
BYo+MfpbrVi8b7ZL69d2Cl8+/6MmcUbWfuPzZsBm9Mg7tdza13NQ0vin3uyv0y6N
73ytO57G1CVfFK3T8v6giEMt6URpBzviF1PK0gTpBImZO13eXYVO5D8E0cXp0Q2d
cTSC120wgwIhN4tBlrf2asjdut+0K7cpYpuAQVHFCacedhdTxDPR+OoWo4zRoYuI
3D776j6OoyxGCmU2GNR9kNK8q3fuVouplCapdRKPPqlbskCzmfb70SjevVGX3sAT
/OwMwonndlCQoFOob4zg03a2rnKMritVcflffeYmih0Xm+UU7QY=
=SwD9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
