https://issues.apache.org/bugzilla/show_bug.cgi?id=57215

--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> ---
(In reply to Mark Thomas from comment #4)
> 
> Regarding the fragility of canonicalContextPath.equals(candidate), better
> suggestions welcome.

The code that was added to Request class is located far from the code that
performs decoding and mapping (CoyoteAdapter) and one that performs
URL-decoding (UDecoder) and it is hard to compare those and keep in sync.

Comparing the code highlighted an issue -> 1.

1. Using UDecoder.URLDecode(candidate) + canonicalContextPath.equals(candidate)
is broken, as URLDecode() without second argument uses ISO-8859-1 charset. The
equals() may return false.

2. Move the code to CoyoteAdapter.postParseRequest(). Evaluate the value there
only once.

3. In unexpected situations, error out (400) instead of falling through.

4. Maybe add an utility methods to UDecoder to search for next decoded '/' in a
ByteChunk?


5. In CoyoteAdapter.postParseRequest() when decodedURI.getType() is not bytes
(e.g. when requestURI is changed by RewriteValve), normalization is skipped. I
think that it should not be skipped.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to