Woellchen commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932522774
Could you please elaborate how a URI is not user input and how it can be prevented that a user calls a URI on a web application? I can't follow you. Relative paths are explicitly allowed in URIs, and that includes parent directories as well, see the mentioned RFC that defines URIs and how to handle them. This PR was meant to fix a bug in the path processing of Tomcat because it does not decode slashes in paths and that leads to the stripping of the remainder of the URI after the `;` character. I have also added test cases for this issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org