[ https://issues.apache.org/jira/browse/WICKET-1624?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596238#action_12596238 ]
Doug Donohoe commented on WICKET-1624: -------------------------------------- I discovered this bug when building a simple search form that is bookmarkable. I boiled this case down to a simple example, but I believe the double-decoding affects other than just the "+". For example, I am having similar issues with extended ascii characters. > ServletWebRequest.getRelativePathPrefixToContextRoot() double decodes servlet > path > ---------------------------------------------------------------------------------- > > Key: WICKET-1624 > URL: https://issues.apache.org/jira/browse/WICKET-1624 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 1.3.3, 1.4-M1 > Environment: Tomcat 6.0.16 on Mac OS X. > Reporter: Doug Donohoe > Priority: Blocker > Fix For: 1.4-M2 > > Attachments: bugs.jar > > > The following line in ServletWebRequest.getRelativePathPrefixToContextRoot() > String servletPath = RequestUtils.decode(getServletPath()); > causes problems with relative path for CSS and images. I believe it is > because the servlet path is already URL decoded. Running it again causes > things that shouldn't be decoded to be decoded. For example, > %2B gets URL decoded to a plus (+). But, running it again causes any + to be > decoded to a space. This causes the endsWith() check to fail when it > shouldn't. Because that fails, more "../" get prepended than is correct. > I'll attach a quickstart which demonstrates the problem. > I think the fix is to remove the RequestUtils.decode() call above, but > someone closer to the code might feel this breaks something. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.