tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: getRequestURI() in relation to Connector.URIEncoding
Date Mon, 18 Feb 2013 11:44:19 GMT
Mark Thomas wrote:
> On 18/02/2013 09:54, Rainer Jung wrote:
>> On 17.02.2013 23:57, André Warnier wrote:
> 
>>> Otherwise, my feeling is that it will cost you quite a number of beers
>>> to stop Mark from fixing what could potentially be a security issue, now
>>> that he's sniffed it.
>> :)
>>
>> Not sure whether Mark's sniffing changes based on the fact that we are
>> now talking about the AJP part of the connectors.
> 
> It does mean I'm rather less concerned since that explains why the
> request wasn't rejected with a 400 response.

Well, the OP did not specifically test with the HTTP Connector, but it doesn't mean that 
the issue is not there too..

> 
> I still want to look at this to understand why getRequestURI() is
> behaving the way it is. There might still be a bug here.
>

Looks like getRequestURI() is behaving according to the Javadocs though, by providing the

original request line undecoded, "as is".  The issue is that the request should probably 
not even get to the point where it can be retrieved by getRequestURI(), no ?


The beer question is still open..

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message