tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core
Date Sat, 17 Mar 2001 21:36:49 GMT
>   You can prove that it is not related to JSP by trying *any* URI that
>   includes JavaScript code, and triggers a 404, such as:
>   The fix is to filter the message string included in the response, so
>   characters sensitive to HTML are rendered as their corresponding escape
>   sequences (such as translating "<" to "&lt;") so that the browser will
>   render them rather than execute them.

I don't like that patch (sorry).

AFAIK, '<' isn't a safe character in a URL. If encoded, it should be encoded
using %xx.
So here, we should either :
- encode using %xx (instead of using the XML style encoding, because
otherwise after encoding the request will always fail with 404)
- Refuse parsing unsafe characters in the connector, and return a 400 (bad
request); that would probably break some old clients


View raw message