https://issues.apache.org/bugzilla/show_bug.cgi?id=57215
--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Mark Thomas from comment #4) > > Regarding the fragility of canonicalContextPath.equals(candidate), better > suggestions welcome. The code that was added to Request class is located far from the code that performs decoding and mapping (CoyoteAdapter) and one that performs URL-decoding (UDecoder) and it is hard to compare those and keep in sync. Comparing the code highlighted an issue -> 1. 1. Using UDecoder.URLDecode(candidate) + canonicalContextPath.equals(candidate) is broken, as URLDecode() without second argument uses ISO-8859-1 charset. The equals() may return false. 2. Move the code to CoyoteAdapter.postParseRequest(). Evaluate the value there only once. 3. In unexpected situations, error out (400) instead of falling through. 4. Maybe add an utility methods to UDecoder to search for next decoded '/' in a ByteChunk? 5. In CoyoteAdapter.postParseRequest() when decodedURI.getType() is not bytes (e.g. when requestURI is changed by RewriteValve), normalization is skipped. I think that it should not be skipped. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org