Hi everyone,
we were in progress of moving our project to tomcat 3.2.3 when we came
accross the new handling of URIs (release-notes sec. 7.2).
Since we are using the URI to transport other hierarchical information
then filesystem paths, we have the feeling, that this kind of
functionality belongs to the default servlet serving filesystem
requests. Especialy the fact that %25, %2E, %2F and %5c inside an URI
lead to a 404 error seems to somewhat strange.
For Example: http://server/app/UCB/vnd.sun.star.hier:%2F/address/myresource
would be rejected, before app has teh possibilty to look at the request
and ...hier://address/myfile... would be normalized to hier:/address.
We are perfectly aware of the security concerns behind these changes.
However, they only apply when serving resources from the filesystem. A
URL's path-components however are in no way bound to the representaion
of filesystem paths.(After all, the U in URL stands for universal :)
RFC 2396 states that '/' in an URI has another semantic meaning then %2F
in an URI. The '/' seperates path-components, while the %2F means a
slash character in a path-component. When such an URI is mapped to a
filesystem this would denote a filename that contains a slash. When the
system does not allow for such names, it is the responsebilty of the
filesystem servlet to report an error (404 since such a file must not
exist on unix for example).
What are your opinions on this?
Cheers
-Lars
--
----------------------------------------------------------------------
Lars Oppermann <[EMAIL PROTECTED]> Sun Microsystems
Software Engineer - Sun ONE Webtop Sachsenfeld 4
Phone: +49 40 23646 959 D-20097 Hamburg
Fax: +49 40 23646 550 http://www.sun.com/webtop
