Apparently URLEncoder doesn’t even do HTTP form encoding correctly: http://notes.richdougherty.com/2013/07/url-path-segment-encoding.html
Will. From: Michael E. Locasto Michael E. Locasto Reply: [email protected] [email protected] Date: December 7, 2013 at 1:05:05 PM To: [email protected] [email protected] Subject: Re: [langsec-discuss] URL parsing I have found lcamtuf's Browser Security Handbook to be a particularly enlightening resource on this topic for my students: http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators On 12/7/13 12:36 PM, Will Sargent wrote: > While we're on the topic of "X being broken" -- apparently URL parsing has > to be done in stages, and each segment of a URL has different parsing > rules. And java.net.URLEncoder is only useful for HTTP form encoding, not > actual URLs. > > http://blog.palominolabs.com/2013/10/03/creating-urls-correctly-and-safely/ > > Which means everyone using Java, over the last 20 years or so, has been > parsing URLs the wrong way. I'm not sure there's enough face palm. > > Will. > > > > _______________________________________________ > langsec-discuss mailing list > [email protected] > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss > _______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
_______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
