> "Remy Maucherat" <[EMAIL PROTECTED]> writes:
>
> > BTW, you have to encode '/' and ':' in your URI, as you did in the
second
> > case. The first URL with unencoded special chars is invalid (ie, it may
> > work, but it's not sure).
>
> But if I encode `/' (as %2F), then HttpProcessor.normalize() will
> reject it:
>
> // Prevent encoding '%', '/', '.' and '\', which are special
reserved
> // characters
> if ((normalized.indexOf("%25") >= 0)
> || (normalized.indexOf("%2F") >= 0)
> || (normalized.indexOf("%2E") >= 0)
> || (normalized.indexOf("%5C") >= 0)
> || (normalized.indexOf("%2f") >= 0)
> || (normalized.indexOf("%2e") >= 0)
> || (normalized.indexOf("%5c") >= 0)) {
> return null;
> }
>
> and you're rejecting URIs with this encoded-slash to avoid bypassing
> security. So it sounds like there's no real way to pass in a slash.
> Sorry if I'm being stupid and not seeing the right way to do this.
I was just saying that the '/' should be encoded to comply with the
standard. Tomcat will indeed reject that URL, I know that.
I don't plan to put that normalization code in the new HTTP connector, so
we'll see how many security problems it create. I think it would be a lot
safer to keep the current HTTP connector frozen, and don't fix that issue
there at all.
Remy
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
