-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/12/17 8:44 PM, James H. H. Lampert wrote: > Question: > > The application we're developing has a suite of web services > (RESTful, Swagger-based), and at least one of them can accept a > pound sign ("#") as a URL parameter. > > Several months ago, with the application and all of its services > running on Tomcat 7, it was accepting a plain, naked # in the URL. > Now, running on Tomcat 8.5, it's returning an error message > ("HTTP/1.1 400"). No client should ever send a naked # to a server. It's a violation of the spec, full stop. That isn't to say that Tomcat should fail in any particular way, but Tomcat is well within its rights to say "a # is not allowed in a URL, so this is a bad request". > The developer (in a different time zone) has explained about > URL-encoding, but hasn't said whether there was anything in his > code to make it stop tolerating the naked # sign. > > Did the change from Tomcat 7 to Tomcat 8.5 have anything to do > with this? Each version of Tomcat gets more and more strict about the garbage it will accept from clients. This is done to improve the world as a whole, and also improve security when it comes to things like converting URL paths into filesystem paths, etc. Strictly speaking, everything should *always* be safe, but it helps to stop The Badness at the earliest opportunity. > And if so, are there any other common ASCII characters that used > to be accepted as characters, but now have to be URL-encoded? Anything in the URL spec that is allowed should be allowed. Clients should expect that anything not mentioned in the spec would be rejected by a compliant server. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJRsACgkQHPApP6U8 pFhqMg//cP4U9z0v8AzkdGRfWJilIAVdsgbA8fdfqTM0f542GzHo4tWidx6F89zK y2oVxz9Fr4RQev2Dgr5DyPrJnv2JYufe2S3AxBltA1jQQCu6GnqEjgzxlvmrGY05 hhrBYBBOgBudgLXcK4bHuoIk+W5ke1Hc1n94WqyVDq2EJZUibKLJLGo3nsAItBcS a7jFitbzAQT/0fX/Nzo/LFanNNLenOkoKxZA0KyqzDYiwOGcsLLukOIV1AOiWgEU cy4dFhYkixoi8lfs5SjivNknp5tDJSq6Rf3UYChkXUcwQUTVA45AecRWvaEihwjr fFN91h9AVKXoVBVNjPYLKS7K7ODahR6oLNqta/2aji4QgCBnyfrPvopIG7e6fbM8 BYo+MfpbrVi8b7ZL69d2Cl8+/6MmcUbWfuPzZsBm9Mg7tdza13NQ0vin3uyv0y6N 73ytO57G1CVfFK3T8v6giEMt6URpBzviF1PK0gTpBImZO13eXYVO5D8E0cXp0Q2d cTSC120wgwIhN4tBlrf2asjdut+0K7cpYpuAQVHFCacedhdTxDPR+OoWo4zRoYuI 3D776j6OoyxGCmU2GNR9kNK8q3fuVouplCapdRKPPqlbskCzmfb70SjevVGX3sAT /OwMwonndlCQoFOob4zg03a2rnKMritVcflffeYmih0Xm+UU7QY= =SwD9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org