> Good work. With this description, the developers should be able to quickly > identify the bug and squash it. I recommend you submit this as a problem in > the bugs database.
It's already there (bug 4707), but the problem is that this URL normalization was introduced to counter some URL based attacks used to get around security constraints. It is also forbidden to URLEncode the '/' character (again to counter the same type of attacks). Due to the high risk, it won't be fixed in the 4.0.x branch (I don't want to have to make emergency releases too often ;-)). Remy > Chris Shenton wrote: > > >I'm developing a webapp under TDK which gets a target URL in the > >PathInfo. This is working fine in TDK. But when I move the webapp to > >standalone Tomcat-4.0.3, I see that Tomcat is gratuitously eating > >slashes in PathInfo, so it's compressing stuff like > > > > http://example.com > >to > > http:/example.com > > > >and breaking my app. > > > >I wrote a dinky test case, attached below, but it basically just takes > >the HttpServletRequest and writes out its URL pieces, the most > >important being req.getPathInfo(). > > > >My test URL is: > > > >http://localhost:8080/sna/servlet/gov.nasa.hq.sna.intranetbroker.SlashTest/ oj///simpson?lawyer=cochran > > > >When I run it under TDK, the result is: > > > > Method: GET > > Scheme: http > > ServerName: localhost > > ServerPort: 8080 > > ContextPath: /sna > > ServletPath: /servlet/gov.nasa.hq.sna.intranetbroker.SlashTest > > RequestURL: http://localhost:8080/sna/servlet/gov.nasa.hq.sna.intranetbroker.SlashTest/o j///simpson > > RequestURI: /sna/servlet/gov.nasa.hq.sna.intranetbroker.SlashTest/oj///simpson > > QueryString: lawyer=cochran > > PathInfo: /oj///simpson > > > >When I do the same with Tomcat (on port 58080), I get: > > > > Method: GET > > Scheme: http > > ServerName: localhost > > ServerPort: 58080 > > ContextPath: /sna > > ServletPath: /servlet/gov.nasa.hq.sna.intranetbroker.SlashTest > > RequestURL: http://localhost:58080/sna/servlet/gov.nasa.hq.sna.intranetbroker.SlashTest/ oj/simpson > > RequestURI: /sna/servlet/gov.nasa.hq.sna.intranetbroker.SlashTest/oj/simpson > > QueryString: lawyer=cochran&foo > > PathInfo: /oj/simpson > > > >Note that it's modifying what it reports as the incoming URL, in > >PathInfo, RequestURL, and RequestURI. That shouldn't be happening, > >should it? Something not quite right in Tomcat? > > > >(I don't want to have to URL-encode this, because I've run into > > problems before -- my app is a proxy and url-encoded FORM variable > > using METHOD=GET get trashed.) > > > >Suggestions? Thanks. > > > >---- > >I'm including the test code, in case maybe I'm doing something > >stupid. The list manager didn't allow posting as an attachment, so > >I'll just inline the body here. > > > >public class SlashTest extends HttpServlet > >{ > > public void doGet(HttpServletRequest req, > > HttpServletResponse res) > > throws java.io.IOException > > { > > res.setContentType("text/plain"); > > PrintWriter out = res.getWriter(); > > > > out.println( "\n Method: " + req.getMethod() > > + "\n Scheme: " + req.getScheme() > > + "\n ServerName: " + req.getServerName() > > + "\n ServerPort: " + req.getServerPort() > > + "\n ContextPath: " + req.getContextPath() > > + "\n ServletPath: " + req.getServletPath() > > + "\n RequestURL: " + req.getRequestURL() > > + "\n RequestURI: " + req.getRequestURI() > > + "\n QueryString: " + req.getQueryString() > > + "\n PathInfo: " + req.getPathInfo() > > ); > > } > >} > > > > > >-- > >To unsubscribe: <mailto:[EMAIL PROTECTED]> > >For additional commands: <mailto:[EMAIL PROTECTED]> > >Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>