https://issues.apache.org/bugzilla/show_bug.cgi?id=53257
--- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> --- To determine the file date Compiler class calls JspCompilationContext#getLastModified(String resource) where in my example the resource value is '/jsp/jsp2/el/basic+arithmetic.jsp' It calls some method that converts it into URL, 'jndi:/localhost/examples/jsp/jsp2/el/basic+arithmetic.jsp' It opens url connection from this URL (implemented by DirContextUrlConnection), then calls methods on it, which result in calling DirContextUrlConnection#connect(). The problem is in the following line in o.a.naming.resource.DirContextUrlConnection#connect(): 160 path = URLDecoder.decode(path, "UTF-8"); This call was added in r1152593 to address bug 51584. There are two problems with the line 160 here. 1) The JRE method called here decodes '+' as ' '. That would be correct in a query string or in POST body, but here (in a path) it is not correct. 2) The decode call itself here is wrong. To demonstrate, create one more copy of that sample jsp under the following name: "basic%abarithmetic.jsp" Now let's try accessing http://localhost:8080/examples/jsp/jsp2/el/basic%2Barithmetic.jsp http://localhost:8080/examples/jsp/jsp2/el/basic%25abarithmetic.jsp In JspContext#getLastModified(String resource) the value of resource argument will be '/jsp/jsp2/el/basic+arithmetic.jsp' '/jsp/jsp2/el/basic%abarithmetic.jsp' The URLDecoder.decode() call will decode the above paths one more time, which is wrong. -- You are receiving this mail because: You are the assignee for the bug.