If the ExtraPathInfo setting in Application.config is true,
requesting a nonexistent URL invokes the wrong servlet rather than a
"not found" error. The servlet invoked is the index.py of the rightmost
valid context or subdirectory. The AppServer is treating the
nonexistent subdirectory or servlet as "path info"--data for the
index.py.
For instance, I just ported an existing home page to Webware. I clicked
on a nonexistent subdirectory link expecting "not found", but instead
got the same page back with the URL showing as
http://example.com/WW/I/subdir/
("WW" is the Webware root, "I" is the context, and "subdir" is the link
I clicked). Clicking it again returns the same page again (I/index.py)
with the URL showing as:
http://example.com/WW/I/subdir/subdir/
Turning off ExtraPathInfo produces the expected "not found" page.
Turning it on again produces the above behavior.
Is this a bug or a feature? Arguably it's what ExtraPathInfo is
"supposed" to do, but it *is* surprising, since I wouldn't expect
index.py to be silently inserted in the middle of a URL. If it is
a feature, I'll just document it in the Troubleshooting section of the
Wiki.
What options are there for protecting servlets from this abuse? Besides
turning off ExtraPathInfo, I mean, since I may want it for another
portion of the site. The only things I can think of are:
1) have every servlet display an error if extra path info != ''.
2) don't worry, be happy. But any relative links on such a page
will contain that path junk and so will loop back to that page. (Echoes
of the Twilight Zone's "Judgement Day" episode...)
--
-Mike (Iron) Orr, [EMAIL PROTECTED] (if mail problems: [EMAIL PROTECTED])
http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss
