tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree" <spyhunte...@gmail.com>
Subject Re: URL-encoding and "#"
Date Sun, 15 Oct 2017 17:00:51 GMT
What was unexpected for me, was that even if the the symbol is URL
encoded, it was still stripped out by tomcat. I understand now
allowing a backslash in a URL, however if it is URL encoded as
%5C then why not allow it? Maybe I'm missing something

On Fri, Oct 13, 2017 at 7:17 AM, info@flyingfischer.ch
<info@flyingfischer.ch> wrote:
> Am 13.10.2017 um 12:48 schrieb Alex O'Ree:
>> Well that explains a lot. Similar issue for me. With url encoding,  tomcat
>> is dropping back slash and the plus symbol.
>
> While I think it is perfectly eligible to strive for a most perfect
> alignement with standards and specs, I think Tomcat should allow a
> reasonnable set of characters to be optionally allowed (as they already
> are in Tomcat up to 8.5).
>
> I am aware that these options may be a security issue and that the
> documentation should state that clearly. However it is not always
> possible to correct the environment to be "standard" compatible and the
> educational approach by not allowing these options is understandable but
> may be not appropriate in many situations.
>
> Best regards
> Markus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message