https://issues.apache.org/bugzilla/show_bug.cgi?id=53257
--- Comment #4 from Mark Thomas <ma...@apache.org> --- (In reply to comment #3) > Conversion of string -> URL is performed via a call to > ServletContext.getResource(path). > > I have some trouble understanding whether ServletContext API operates on > urlencoded on non-urlencoded paths. > > My point of view is that argument of ServletContext.getResource() and the > paths returned by ServletContext.getResourcePaths() are just file system > paths and they should not be urlencoded. Having looked at the Javadoc for ServletContext.getResource() I have the opposite view. Since the URL returned is meant to be independent of where the resource is located, then it can't be a file system path. It is a URL and as such needs to be encoded. It could easily be using the http scheme. I haven't yet checked the rest of the spec for language that supports or undermines that view. That job is next. > From the above it follows that method > o.a.catalina.core.ApplicationContext#getResource(String) that returns > > return new URL > ("jndi", "", 0, getJNDIUri(hostName, fullPath), > new DirContextURLStreamHandler(resources)); > > is responsible to perform urlencoding of the path. The docs for java.net.URL > say that "The URL class does not itself encode or decode any URL components > according to the escaping mechanism defined in RFC2396." So it should > urlencode the path before constructing the URL. > Maybe use new URI(.,.,.,.,.,.,).toURL(); here, as URI class handles encoding. That I do agree with, although I worry about what it might break. > I think that JspCompilationContext methods such as #getResource(String), > #getLastModified(String) should also operate on non-urlencoded strings, like > ServletContext does. (That is what they already do today. I am just > clarifying my point of view). Not sure on this one. I suspect that these may also need to be encoded to handle all the edge cases. > There is method DirContextURLConnection#list(). I do not see it called > anywhere besides o.a.c.startup.ContextConfig#processAnnotationsJndi(), so it > is like our internal API. It returns url-encoded paths (as modified by > 1152593). It looks OK with the only place where it is used (and this API is > not related to ServletContext.getResourcePaths()), but needs to be > documented. Whatever is decided, more documentation is almost certain to be helpful to those looking at this code in a few years time. > (- BTW, in JspContext#getResource(String) there is > 306 result = context.getResource(canonicalURI(res)); > > The "canonicalURI(res)" call does not hurt, but it seems excessive because > ApplicationContext#getResource(String) will call RequestUtil.normalize() on > its argument, which does effectively the same. > ) Then lets remove that bit. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org