Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 16385 invoked from network); 13 Oct 2010 16:09:49 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 13 Oct 2010 16:09:49 -0000 Received: (qmail 49462 invoked by uid 500); 13 Oct 2010 16:09:48 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 49179 invoked by uid 500); 13 Oct 2010 16:09:48 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 49170 invoked by uid 99); 13 Oct 2010 16:09:48 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Oct 2010 16:09:48 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 13 Oct 2010 16:09:45 +0000 Received: (qmail 16323 invoked by uid 99); 13 Oct 2010 16:09:24 -0000 Received: from localhost.apache.org (HELO [192.168.23.9]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Oct 2010 16:09:24 +0000 Message-ID: <4CB5D9AE.2010305@apache.org> Date: Wed, 13 Oct 2010 17:09:18 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: svn commit: r1005192 - /tomcat/tc6.0.x/trunk/STATUS.txt References: <20101006180303.79C36238899C@eris.apache.org> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 13/10/2010 16:57, Konstantin Kolinko wrote: > 2010/10/6 : >> Author: markt >> Date: Wed Oct 6 18:03:03 2010 >> New Revision: 1005192 >> >> URL: http://svn.apache.org/viewvc?rev=1005192&view=rev >> Log: >> Proposal >> >> Modified: >> tomcat/tc6.0.x/trunk/STATUS.txt >> >> + >> +* Fix path parameter handling. Currently the following URL fails with a 404: >> + http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp >> + http://people.apache.org/~markt/patches/2010-10-06-path-param-tc6.patch >> + +1: markt >> + -1: >> > > I think this is wrong, because a path parameter is not just a pair of > (name, value), but a triple of (path, name, value), taking into > account the path segment where it was applied. > > The proposed patch strips information on the parameters from the path. > How the application is supposed to have access to them? The short answer is via getRequestURI(). The longer answer is: The Servlet Specification defines the following: requestURI = contextPath + servletPath + pathInfo It also states that: - path parameters are returned by getRequestURI() and getPathInfo() - contextPath & path parameters are ignored when mapping requests to servlets The specification does not state: - if the value returned by getContextPath() include path parameters or not. The implication is that it should not. - if the value returned by getServletPath() include path parameters or not. The implication is that it should not. If you add removal of /../ sequences, URI decoding and character decoding then the picture gets even murkier. The Servlet expert group has previously indicated [1] that the specification would be altered to state that getPathInfo() should not return path parameters and that clarification would be added to confirm that getContextPath() and getServletPath() should not return path parameters either. This clarification was never added to the specification. I'm not against switching from a pair to a triple for this but a) I'm not sure many (any?) folks are using path parameters apart from for session IDs and b) I think the 404 is a more important issue. Finally, I'd add that the behaviour varies considerably between containers in this area and an app's only hope for portability at the moment is to use getRequestURI(). Mark [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=25015 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org