michael-o commented on a change in pull request #406: URL: https://github.com/apache/tomcat/pull/406#discussion_r587564027
########## File path: java/org/apache/catalina/valves/SSLValve.java ########## @@ -137,7 +149,13 @@ public void invoke(Request request, Response response) throws IOException, Servl * separate lines, the CertificateFactory is tolerant of any * additional whitespace. */ - String headerValue = mygetHeader(request, sslClientCertHeader); + String headerValue; + String headerEscapedValue = mygetHeader(request, sslClientEscapedCertHeader); + if (headerEscapedValue != null) { + headerValue = URLDecoder.decode(headerEscapedValue, "ISO-8859-1"); Review comment: No, URLDecoder does *not* decode URIs. It has been designed for HTML forms only. Tomcat has a utility to do this properly. Moreover, it should be either UTF-8 or better the encoding from the `server.xml`. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org