tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Oppermann <>
Subject URI handling in tomcat 3.2.3
Date Thu, 13 Sep 2001 10:00:29 GMT
Hi everyone,

we were in progress of moving our project to tomcat 3.2.3 when we came 
accross the new handling of URIs (release-notes sec. 7.2).

Since we are using the URI to transport other hierarchical information 
then filesystem paths, we have the feeling, that this kind of 
functionality belongs to the default servlet serving filesystem 
requests. Especialy the fact that %25, %2E, %2F and %5c inside an URI 
lead to a 404 error seems to somewhat strange.
For Example: http://server/app/UCB/
would be rejected, before app has teh possibilty to look at the request 
and ...hier://address/myfile... would be normalized to hier:/address.

We are perfectly aware of the security concerns behind these changes. 
However, they only apply when serving resources from the filesystem. A 
URL's path-components however are in no way bound to the representaion 
of filesystem paths.(After all, the U in URL stands for universal :)

RFC 2396 states that '/' in an URI has another semantic meaning then %2F 
in an URI. The '/' seperates path-components, while the %2F means a 
slash character in a path-component. When such an URI is mapped to a 
filesystem this would denote a filename that contains a slash. When the 
system does not allow for such names, it is the responsebilty of the 
filesystem servlet to report an error (404 since such a file must not 
exist on unix for example).

What are your opinions on this?

Lars Oppermann <>               Sun Microsystems
Software Engineer - Sun ONE Webtop                       Sachsenfeld 4
Phone: +49 40 23646 959                                D-20097 Hamburg
Fax:   +49 40 23646 550            

View raw message