tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: URLs with '../' and 404s
Date Fri, 09 Apr 2010 07:36:15 GMT
On 08/04/2010 23:23, Nikita Tovstoles wrote:
> So, if the current URI is "http://localhost/app/page" and sendRedirect
> method arg is "../../app/page.0" what does that violate?

That relative URL is not valid. To construct the absolute URL, you strip 
of the file name from the path and append the relative URL. That gives you:
http://localhost/app/../../app/page.0

To check the validity, let's normalize it:
Removing the first '..' gives:
http://localhost/../app/page.0

and that is clearly not valid.

This is looking very much like your relative URLs are not correct.

> The arg is a
> relative URL that "container must convert to an absolute URL", no?

What part of http://localhost/app/page/../../app/page.0 are you claiming 
is not absolute? It might not be normalized, but it is absolute.

A simple JSP that contains:
<% response.sendRedirect("../sub2/user001.jsp"); %>
works perfectly for me.

This, and the fact that no-one else is complaining that relative 
redirects are broken, adds weight to the theory that the relative URLs 
being used in your app are not correct.

> And, yes, the *result* of that conversion must be an absolute URL as
> specified by:
> http://tools.ietf.org/html/rfc2616#section-14.30

It is.

Goign back and checking your first post in this thread, the example you 
gave was:

<quote>
-assume client is at http://localhost/app/home
-app responds to a request with 302 '../home.0'
-Response.toAbsolute() rewrites Location as  http://localhost/app/home/ . .
/home.0 (spaces added to avoid spam filter)

But, if client then issues a GET with exactly that URL - and not
http://localhost/app/home.0, Tomcat will issue a 404. In other words,
toAbsolute() produces a URL that Tomcat cannot service. Why the asymmetry?
In other words, why not collapse the '../' in toAbsolute() - and thus
produce  http://localhost/app/home.0?
</quote>

That example is not correct.

The redirect URL will be:
http://localhost/app/../home.0

which when normalised is:
http://localhost/home.0

Which is not the http://localhost/app/home.0 expected, hence the 404.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message