https://issues.apache.org/bugzilla/show_bug.cgi?id=53257

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
(In reply to comment #3)
> Conversion of string -> URL is performed via a call to
> ServletContext.getResource(path).
> 
> I have some trouble understanding whether ServletContext API operates on
> urlencoded on non-urlencoded paths.
> 
> My point of view is that argument of ServletContext.getResource() and the
> paths returned by ServletContext.getResourcePaths() are just file system
> paths and they should not be urlencoded.

Having looked at the Javadoc for ServletContext.getResource() I have the
opposite view. Since the URL returned is meant to be independent of where the
resource is located, then it can't be a file system path. It is a URL and as
such needs to be encoded. It could easily be using the http scheme. I haven't
yet checked the rest of the spec for language that supports or undermines that
view. That job is next.

> From the above it follows that method
> o.a.catalina.core.ApplicationContext#getResource(String) that returns
> 
>                 return new URL
>                     ("jndi", "", 0, getJNDIUri(hostName, fullPath),
>                      new DirContextURLStreamHandler(resources));
> 
> is responsible to perform urlencoding of the path. The docs for java.net.URL
> say that "The URL class does not itself encode or decode any URL components
> according to the escaping mechanism defined in RFC2396." So it should
> urlencode the path before constructing the URL. 
> Maybe use new URI(.,.,.,.,.,.,).toURL(); here, as URI class handles encoding.

That I do agree with, although I worry about what it might break.

> I think that JspCompilationContext methods such as #getResource(String),
> #getLastModified(String) should also operate on non-urlencoded strings, like
> ServletContext does. (That is what they already do today. I am just
> clarifying my point of view).

Not sure on this one. I suspect that these may also need to be encoded to
handle all the edge cases.

> There is method DirContextURLConnection#list(). I do not see it called
> anywhere besides o.a.c.startup.ContextConfig#processAnnotationsJndi(), so it
> is like our internal API. It returns url-encoded paths (as modified by
> 1152593). It looks OK with the only place where it is used (and this API is
> not related to ServletContext.getResourcePaths()), but needs to be
> documented.

Whatever is decided, more documentation is almost certain to be helpful to
those looking at this code in a few years time.

> (- BTW, in JspContext#getResource(String) there is
> 306   result = context.getResource(canonicalURI(res));
> 
> The "canonicalURI(res)" call does not hurt, but it seems excessive because
> ApplicationContext#getResource(String) will call RequestUtil.normalize() on
> its argument, which does effectively the same.
> )

Then lets remove that bit.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to