On 08/08/2016 21:25, Wang, Andy wrote:
> On Thu, 2016-07-14 at 21:11 +0200, Mark Thomas wrote:
>>> The only thing it might break was if someone tried to use a URL
>>> containing a % sign that wasn't encoded:
>>>
>>> String target = "/foo/bar?percent=%=#";
>>>
On Thu, 2016-07-14 at 21:11 +0200, Mark Thomas wrote:
> > The only thing it might break was if someone tried to use a URL
> > containing a % sign that wasn't encoded:
> >
> > String target = "/foo/bar?percent=%=#";
> > request.getRequestDispatcher(target).forward(request, response);
> >
> >
On 14/07/2016 00:22, Christopher Schultz wrote:
> Mark,
>
> On 7/11/16 4:40 PM, Mark Thomas wrote:
>> This was triggered by a thread on the users list. [1]
>>
>> Tomcat does not, and hasn't as far back as at least 4.1.x, decoded the
>> path provided in the call to getRequestDispatcher(path).
>>
Mark,
On 7/11/16 4:40 PM, Mark Thomas wrote:
> This was triggered by a thread on the users list. [1]
>
> Tomcat does not, and hasn't as far back as at least 4.1.x, decoded the
> path provided in the call to getRequestDispatcher(path).
>
> I think this might be incorrect. My logic for this is as
This was triggered by a thread on the users list. [1]
Tomcat does not, and hasn't as far back as at least 4.1.x, decoded the
path provided in the call to getRequestDispatcher(path).
I think this might be incorrect. My logic for this is as follows.
The servlet spec is clear (see 9.1.1) that path