tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Berry <>
Subject Re: parameters in URL path segments
Date Wed, 23 Aug 2006 22:08:32 GMT

On Aug 23, 2006, at 2:40 PM, William A. Rowe, Jr. wrote:

> James Berry wrote:
>>> Because Tomcat and Apache are blind to parameters, the connector - 
>>> should-
>>> reject them.  When Tomcat/Apache are able to treat your  
>>> "this;biz=bar"
>>> example the same as "this" for the purpose of access control,  
>>> then they
>>> can be enabled in an opaque manner that lets the application  
>>> determine
>>> their meaning and context.
>> So maybe this is the crux of it. Why/where is it that "this;biz=bar"
>> cannot be treated the same for the purposes of access control as  
>> "this"?
>> The URL spec says that these are equally valid, and that  
>> "this,biz=bar"
>> is equally valid (and suggests too that it might also be used for
>> passing parameters) but to my understanding, that should be no  
>> concern
>> of tomcat's.
> BUT today's parsers don't do that.  So any DENY rule on "this"  
> would let
> "this;biz=bar" slip through, while the handler might process "this"  
> and
> ignore parameters entirely.

So such a deny rule on "this" would currently let "this;biz=bar"  
through, and would also let "thisthatandtheotherthing" through too,  

I see nothing wrong with that: if follows my assertion that semicolon  
parameters simply should not be treated any differently.

> Now understand I'm not a big fan of deny rules (deny all, then always
> selectively grant access ;-)  But we can't ignore that they exist, and
> if parameters must be treated independently of the resource that they

What I'm saying is that they should not be treated independently or  
differently. They should be treated not as metadata, but as part of  
the segment.

> modify, then /myfolder;v=1.1/records.doc;f=rtf must parse against any
> access control rules of /myfolder/records.doc, which means they need
> a canonical form for access control independent of their parameters.

The situation today is that if I form one url that looks like:


and another that looks like:


and another that looks like:


The one that uses semicolons is mangled by Tomcat, while the other  
two are not. What I'm claiming is that this is a bug, because  
parameters should not be treated differently by tomcat; it can do  
nothing different with the first url than it can with the second or  
third url, and it should leave the distinction to code that can,  
rather than assuming it knows something that it doesn't.

The rfcs, to me, are saying that http servers shouldn't treat segment  
parameters in any special way. And until they should, or can, or  
really want to, Tomcat shouldn't reject a semicolon when it doesn't  
reject a comma.

> I need to research, but it's probably doable.  It's not doable by just
> tweaking the code in mod_jk, however.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message