https://issues.apache.org/bugzilla/show_bug.cgi?id=57215
--- Comment #8 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Konstantin Kolinko from comment #5) > 5. In CoyoteAdapter.postParseRequest() when decodedURI.getType() is not > bytes (e.g. when requestURI is changed by RewriteValve), normalization is > skipped. I think that it should not be skipped. Skipping url-decoding step is also wrong. If RewriteValve provides a non-encoded requestUri, it means that there is a bug in RewriteValve. Web Application should assume that requestURI needs url-decoding. It cannot find out that url-decoding shall be skipped. Implementation of Request.getContextPath() in r1640083/r1642766 is an example of a victim of this bug. It always performs url-decoding. >> 3. In unexpected situations, error out (400) instead of falling through. > > 3 makes sense if we do 2 but I don't think 2 is the way to go. I do not like that Request.getContextPath() falls through to returning requestUri. It may result in security issues. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
