On 4/8/18 6:39 PM, Mark Thomas wrote:
> On 08/04/2018 21:29, Christopher Schultz wrote:
> <snip/>
>> Does Tomcat do its own UTF-8 decoding because the JVM doesn't have a
>> facility to convert from ByteBuffer to CharBuffer? That seems like
>> something the JVM really should be providing...
> No. It does it because the JRE UTF-8 decoder is buggy. Some bugs were
> fixed in Java 8 and the rest in Java 9 so we need this decoder until
> Java 9 is the minimum.

Gotcha. Are there any known remaining bugs in the Java 9 implementation?
If not, should we go ahead and use the JVM-provided UTF-8 decoder when
we detect a suitable version of Java? Or is it simply not worth it?

Sadly, the OpenJDK license is GPL, so we can't simply use their code in
Tomcat. :(

> The issue is that incorrect decoding can lead to 'unexpected' behaviour
> when parsing URLs (read some form of security vulnerability).



To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to