"Remy Maucherat" <[EMAIL PROTECTED]> writes:
> BTW, you have to encode '/' and ':' in your URI, as you did in the second
> case. The first URL with unencoded special chars is invalid (ie, it may
> work, but it's not sure).
But if I encode `/' (as %2F), then HttpProcessor.normalize() will
reject it:
// Prevent encoding '%', '/', '.' and '\', which are special reserved
// characters
if ((normalized.indexOf("%25") >= 0)
|| (normalized.indexOf("%2F") >= 0)
|| (normalized.indexOf("%2E") >= 0)
|| (normalized.indexOf("%5C") >= 0)
|| (normalized.indexOf("%2f") >= 0)
|| (normalized.indexOf("%2e") >= 0)
|| (normalized.indexOf("%5c") >= 0)) {
return null;
}
and you're rejecting URIs with this encoded-slash to avoid bypassing
security. So it sounds like there's no real way to pass in a slash.
Sorry if I'm being stupid and not seeing the right way to do this.
> I understand, but this won't be fixed in 4.0.x, as it is way too risky.
> We could consider fixing it in 4.1, since we'll have the benefit of going
> through a whole beta phase.
OK, thanks for the feedback. If I can help, let me know.
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
