On 2/3/2019 3:34 PM, Mark Thomas wrote:
... There is an open question what Tomcat should do with %2F sequences.
"What Tomcat should do" in what context? The servlet and JAX-RS specs may be clear about whether decoded or "raw" APIs should be returned from the various API methods. But I guess the issue here is /not/ whether JAX-RS should interpret a path segment as decoded or encoded. The issue is whether Tomcat has already fiddled with the URI itself to /change what constitutes the path segment/.
Unless an EE specification says to muck around with the URI like this, I don't see how the server has any business changing the content of the URI. If the escaped path delimiters are decoded early on, then the downstream APIs will get different path segments altogether: some will have characters missing, and there will moreover be additional path segments than intended. It would seem to be that "trying to be helpful without being asked" in this case (as in most cases) would probably raise security issues, too.
Further downstream, whether each API method returns encoded or decoded information would depend on what the API contracts say, for better or for worse.
It currently decodes them. Arguably, it should leave them alone.
That sounds right to me. I'll read the link you sent, thanks. Garret
