All,
For discussion:
https://github.com/apache/tomcat/pull/923
-chris
On 11/19/25 8:53 AM, Christopher Schultz wrote:
Mark,
On 11/19/25 8:39 AM, Mark Thomas wrote:
On 19/11/2025 13:11, Christopher Schultz wrote:
<snip/>
I'm curious about the expectations, here. If a URL ends up being
passed- through HttpServletResponse.encodeURL() more than once, is
that an application bug or should the container take steps to avoid
adding the same information to the URL multiple times?
I don't recall reading any specific language about that in the Servlet
specification.
It only appears in the TCK in the signature tests.
All there really is is the Javadoc.
I think a reasonable reading of the current Javadoc is that multiple
calls are OK and the container should take steps to avoid duplicating
information. Specifically:
"Encodes the specified URL by including the session ID in it, or, if
encoding is not needed, returns the URL unchanged."
While the examples listed shortly afterwards don't include "already
encoded" in the "logic to determine where the session ID needs to be
encoded in the URL" the examples don't exclude it. And the earlier
language implies it.
You could ask (what was) the Servlet EG for an opinion.
Thanks for the review.
I'm already writing some code to look for and remove an existing query
parameter in a URL and the only thing I have left to do is fix & -> ?
when the csrf parameter is the first one following the ?.
So I'll either end up using this code in my own application or pushing
it into both CsrfPreventionFilter and, I suppose
Response.encode(Redirect?)URL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
