Return-Path: <tomcat-bugs@cortexity.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 59646 invoked from network); 11 Sep 2000 12:22:22 -0000
Received: from msp-26-164-174.mn.rr.com (HELO localhost.localdomain)
 (24.26.164.174)
  by locus.apache.org with SMTP; 11 Sep 2000 12:22:22 -0000
Received: from fatman (IDENT:nobody@localhost [127.0.0.1])
	by localhost.localdomain (8.9.3/8.9.3) with SMTP id GAA10978
	for <tomcat-bugs@cortexity.com>; Mon, 11 Sep 2000 06:20:14 -0500
Message-ID: <134664582.968671214830.JavaMail.nobody@fatman>
Date: Mon, 11 Sep 2000 06:20:14 -0500 (CDT)
From: BugRat Mail System <tomcat-bugs@cortexity.com>
Reply-To: BugRat Mail System <tomcat-bugs@cortexity.com>
To: tomcat-bugs@cortexity.com
Subject: BugRat Report #97 has been filed.
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="134687289.968671214801.JavaMail.nobody@fatman"
X-Mailer: org.gjt.mail.EnhancedMimeMsg, <http://www.gjt.org/>
Organization: The Giant Java Tree, <http://www.gjt.org/>
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

--134687289.968671214801.JavaMail.nobody@fatman
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Bug report #97 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/97>

REPORT #97 Details.

Project: Catalina
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment: 
   Release: current toplevel CVS source
   JVM Release: 1.2
   Operating System: solaris
   OS Release: 2.7
   Platform: sparc

Synopsis: 
decoding of URL is never necessary

Description:
In org.apache.tomcat.connector.http.HttpProccessor.java
there is some code that decodes the URI if necessary
as the comment above the code describes it.

Decoding the URL is never necessary but is bug
because it is a violation of the URL / URI formats as described in rfc1738, rfc1630 and rfc2616.

If the URL is decoded the original URL used in the request
can not be reconstructed and the semantics of the URL
changes.

Example: it IS a difference if a slash is used
or a encoded slash is used,
a slash is a hierachy delimiter an encoded slash isn't.

Decoding the URL breaks javax.servlet.HttpUtil.getRequestURL()
and makes servlets unusable that use encoded names in URLs.


--134687289.968671214801.JavaMail.nobody@fatman
Content-Type: text/html; name=Report-97.html
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=Report-97.html
Content-Description: DataSource attachment 'Report-97.html'

<html>
<head>
<title>
BugRat Report #
97
</title>
</head>
<body>
<h2>
BugRat Report #
97
</h2>
<table width="100%" cellspacing="0"
       cellpadding="0">
<tr>
<td width="50%">
<strong>Project:</strong>
Catalina
</td>
<td width="50%">
<strong>Release:</strong>
current toplevel CVS source
</td>
</tr>
<tr>
<td width="50%">
<strong>Category:</strong>
Bug Report
</td>
<td width="50%">
<strong>SubCategory:</strong>
New Bug Report
</td>
</tr>
<tr>
<td width="50%">
<strong>Class:</strong>
swbug
</td>
<td width="50%">
<strong>State:</strong>
received
</td>
</tr>
<tr>
<td width="50%">
<strong>Priority:</strong>
high
</td>
<td width="50%">
<strong>Severity:</strong>
critical
</td>
</tr>
<tr>
<td width="50%">
<strong>Confidence:</strong>
public
<br>
</td>
</tr>
</table>
<p>
<strong>Submitter:</strong>
Bernd Eilers (&nbsp;<a href="mailto:bei@staroffice.de">bei@staroffice.de</a>&nbsp;)
<br>
<strong>Date Submitted:</strong>
Sep 11 2000, 06:20:14 CDT
<br>
<strong>Responsible:</strong>
Z_Tomcat Alias (&nbsp;<a href="mailto:tomcat-bugs@cortexity.com">tomcat-bugs@cortexity.com</a>&nbsp;)
<p>
<DL>
<DT><strong>Synopsis:</strong>
<DD>
decoding of URL is never necessary
</DL>
<DL>
<DT><strong> Environment:</strong> (jvm, os, osrel, platform)
<DD>
1.2, solaris, 2.7, sparc
</DL>
<p>
<DL>
<DT><strong>Additional Environment Description:</strong>
<DD>

</DL>
<p>
<DL>
<DT><strong>Report Description:</strong>
<DD>
In org.apache.tomcat.connector.http.HttpProccessor.java
there is some code that decodes the URI if necessary
as the comment above the code describes it.

Decoding the URL is never necessary but is bug
because it is a violation of the URL / URI formats as described in rfc1738, rfc1630 and rfc2616.

If the URL is decoded the original URL used in the request
can not be reconstructed and the semantics of the URL
changes.

Example: it IS a difference if a slash is used
or a encoded slash is used,
a slash is a hierachy delimiter an encoded slash isn't.

Decoding the URL breaks javax.servlet.HttpUtil.getRequestURL()
and makes servlets unusable that use encoded names in URLs.

</DL>
<p>
<DL>
<DT><strong>How To Reproduce:</strong>
<DD>
null
</DL>
<p>
<DL>
<DT><strong>Workaround:</strong>
<DD>
null
</DL>
<P><A HREF="http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/97
">
<center>
View this report online...
</center>
</a>
</body>
</html>

--134687289.968671214801.JavaMail.nobody@fatman--