https://bz.apache.org/bugzilla/show_bug.cgi?id=61351
--- Comment #1 from Mark Thomas <ma...@apache.org> --- The requirement the URL patterns in web.xml must be decoded dates back to Servlet 2.3 (see r285186). In more recent times this has been tweaked so the the charset used to do the decoding is consistent with the charset used for the web.xml file (see r1758423). However, the expectation from the Java EE XSD is that: <quote> This pattern is assumed to be in URL-decoded form and must not contain CR(#xD) or LF(#xA) </quote> The Servlet specification also references RFC 3986 although it doesn't offer a view on where that RFC applies and where it does not. Those do not appear to be entirely consistent. Given the above, it is also worth noting the rare edge cases where a literal '*' or '%' needs to be used in the url-pattern. So, where to go from here? My current thinking is that Tomcat needs to assume the url-patterns may be partially decoded. i.e. they may contain characters not permitted by RFC 3986 and they may also contain %nn sequences that need to be decoded. Therefore, r1793440 needs to be reverted / rewritten on that basis. I'm going to start work in this direction but if folks disagree with my analysis or think I have missed one or more important points, please do speak up. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
