tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree" <>
Subject Re: URL-encoding and "#"
Date Sun, 15 Oct 2017 17:00:51 GMT
What was unexpected for me, was that even if the the symbol is URL
encoded, it was still stripped out by tomcat. I understand now
allowing a backslash in a URL, however if it is URL encoded as
%5C then why not allow it? Maybe I'm missing something

On Fri, Oct 13, 2017 at 7:17 AM,
<> wrote:
> Am 13.10.2017 um 12:48 schrieb Alex O'Ree:
>> Well that explains a lot. Similar issue for me. With url encoding,  tomcat
>> is dropping back slash and the plus symbol.
> While I think it is perfectly eligible to strive for a most perfect
> alignement with standards and specs, I think Tomcat should allow a
> reasonnable set of characters to be optionally allowed (as they already
> are in Tomcat up to 8.5).
> I am aware that these options may be a security issue and that the
> documentation should state that clearly. However it is not always
> possible to correct the environment to be "standard" compatible and the
> educational approach by not allowing these options is understandable but
> may be not appropriate in many situations.
> Best regards
> Markus
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message