On 13/02/2019 14:57, Christopher Schultz wrote: > All, > > I just wanted to confirm that UTF-7 is not a typo on this page: > > http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#System_Prope > rties > > Under the system property ENFORCE_ENCODING_IN_GET_WRITER. > > I'm almost certain that it's *not* a typo because UTF-7 can be > misinterpreted as ISO-8859-1 by a particularly stupid client, but > wanted to be sure just in case.
It is not a typo. We've rejected XXS vulnerability reports in the past on the grounds that the client isn't following the specs in this case. Mark > > The UTF-7 character encoding is such a rare thing that I think many > readers might think that UTF-7 is a typo and UTF-8 might be the > intended encoding. > > Since that's not the case, I'd like to add a little note that we > really mean UTF-7 and not UTF-8 in this context. > > Thanks, > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
