https://bz.apache.org/bugzilla/show_bug.cgi?id=63104
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- OS| |All Resolution|--- |WONTFIX Status|NEW |RESOLVED --- Comment #1 from Mark Thomas <ma...@apache.org> --- I'd argue that the behaviour in this case is undefined. The Javadoc says that an MalformedURLException should be thrown if "if the pathname is not given in the correct form". A path of "/../../" is in the correct form. The Javadoc states that "The path must begin with a / and is interpreted as relative to the current context root...". It does not state that the path must point to a resource within the web application. On that basis, "/../../" is in the correct form. Whether the Javadoc should be more explicit (I'd argue it should) is something to raise with the Servlet EG at https://github.com/eclipse-ee4j/servlet-api/issues Since the behaviour is undefined, containers are free to choose their own behaviour in this instance. Tomcat has opted to throw an IAE in an attempt to make it clear that something has gone badly wrong. Trying to step outside the web application root can be an indication of a path traversal attack. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org