Marc Saegesser wrote:
>
> I just tried this using the SnoopServlet that ships with Tomcat using a URL
> like
>
> http://localhost:8080/servlet/SnoopServlet/http://fubar
>
> and got
>
> /http:/fubar
>
> as the path info. Your description makes it look like your losing http: in
> addition to the one of the /s. Is this what your seeing?
Using SnoopServlet I see /http:/fubar just like you. My seeing the
http: being eaten was due to how the GoTo servlet responded to the
illegal URL being used. So that's good, it's only the double-slash to
single-slash issue. It's a hard issue, but a straightforward issue.
> This problem is almost certainly caused the URL normalization code that got
> put into 3.2.3 to fix a serious security hole. This is going to be
> difficult to resolve. We have to normalize the URL before the servlet
> container uses it (I think this is even going to be added to the latest
> servlet specification) or some really bad things can happen with prefix
> mapping. However, until we've done the prefix mapping we can't know what
> part of the URL refers to a servlet and what part is path info. Getting
> back the original non-normalized path info is going to be tricky.
I don't recall any EG discussion about normalizing the URL before the
container sees it. Generally the spec makes contracts on the
"container" as it interfaces with the servlet and doesn't make any
statements about a web server might support a plug-in.
> This is even worse because we also won't allow the URL to be encoded like
>
> http://localhost:8080/servlet/SnoopServlet/http:%2F%2Ffubar
>
> because we make some rather draconian precautions to ensure that nastily
> encoded URLs can't obtain access to protected resources (or even resources
> outside the webapp).
Hmm... I wonder if Tomcat has the right to make illegal what HTTP would
allow?
> I'll have to give this one some thought. If URL normalization is being
> added to the specification then there should also some guidance on how it
> relates to path info.
As I understand it, extra path info has to be returned in its simple
decoded form.
-jh-
