tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: Tomcat 3.2.3 and getPathInfo
Date Fri, 24 Aug 2001 15:43:36 GMT
On Thu, 23 Aug 2001, Jason Hunter wrote:

> Hmm... I wonder if Tomcat has the right to make illegal what HTTP would
> allow?

My understanding is that a URL _can_ be transformed - and all servers are
normalizing it before matching.

The problem is that the servlet spec defines the mappings in a very
strict way - exact matching, etc - and the other big problem is that the
spec requires "original URLs" to be returned.

That leaves us very little else to do than reject all 'suspect' URLs
( otherwise anyone can pass the security constraings with a simple
/./ in the URL )


View raw message