https://issues.apache.org/bugzilla/show_bug.cgi?id=53257

--- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> ---
To determine the file date Compiler class calls
JspCompilationContext#getLastModified(String resource)
where in my example the resource value is
'/jsp/jsp2/el/basic+arithmetic.jsp'

It calls some method that converts it into URL,
'jndi:/localhost/examples/jsp/jsp2/el/basic+arithmetic.jsp'

It opens url connection from this URL (implemented by DirContextUrlConnection),
then calls methods on it, which result in calling
DirContextUrlConnection#connect().


The problem is in the following line in
o.a.naming.resource.DirContextUrlConnection#connect():

160        path = URLDecoder.decode(path, "UTF-8");

This call was added in r1152593 to address bug 51584.

There are two problems with the line 160 here.
1) The JRE method called here decodes '+' as ' '. That would be correct in a
query string or in POST body, but here (in a path) it is not correct.

2) The decode call itself here is wrong. To demonstrate, create one more copy
of that sample jsp under the following name: "basic%abarithmetic.jsp"

Now let's try accessing
http://localhost:8080/examples/jsp/jsp2/el/basic%2Barithmetic.jsp
http://localhost:8080/examples/jsp/jsp2/el/basic%25abarithmetic.jsp

In JspContext#getLastModified(String resource) the value of resource argument
will be
'/jsp/jsp2/el/basic+arithmetic.jsp'
'/jsp/jsp2/el/basic%abarithmetic.jsp'

The URLDecoder.decode() call will decode the above paths one more time, which
is wrong.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to