Mark, On 4/8/18 6:39 PM, Mark Thomas wrote: > On 08/04/2018 21:29, Christopher Schultz wrote: > > <snip/> > >> Does Tomcat do its own UTF-8 decoding because the JVM doesn't have a >> facility to convert from ByteBuffer to CharBuffer? That seems like >> something the JVM really should be providing... > > No. It does it because the JRE UTF-8 decoder is buggy. Some bugs were > fixed in Java 8 and the rest in Java 9 so we need this decoder until > Java 9 is the minimum.
Gotcha. Are there any known remaining bugs in the Java 9 implementation? If not, should we go ahead and use the JVM-provided UTF-8 decoder when we detect a suitable version of Java? Or is it simply not worth it? Sadly, the OpenJDK license is GPL, so we can't simply use their code in Tomcat. :( > The issue is that incorrect decoding can lead to 'unexpected' behaviour > when parsing URLs (read some form of security vulnerability). Ack. Thanks, -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
