> > > This is even worse because we also won't allow the URL to be
> > encoded like
> > >
> > > http://localhost:8080/servlet/SnoopServlet/http:%2F%2Ffubar
> > >
> > > because we make some rather draconian precautions to ensure that nastily
> > > encoded URLs can't obtain access to protected resources (or
> > even resources
> > > outside the webapp).
> >
> > Hmm... I wonder if Tomcat has the right to make illegal what HTTP would
> > allow?
>
> As I recall, our constraints were basically lifted from the Apache HTTP
> server. Our rationale was that it was far better to preclude some odd URLs
> than to leave open the possibility that files outside the web application
> could be accessed via the container. This was a *really* bad security hole.
So what does the Apache Web Server do for PATH_INFO on a request to
http://foo.com/cgi-bin/somecgi/http://extra.com?
-jh-
