On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote:
On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan <
kalaivani.sengottai...@veeva.com> wrote:
In one of our sample case, this is the url recorded by ngnix
"-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +0000] "GET
/233.0.100?event=autoproc&fn=F%D0%A9%E4%B8%AD%E7%A2%BA%C5%98%C3%86W%C5%A0d%27%C3%9C%CE%94%C3%A1%21%C3%A8%E3%81%AB%EB%AC%B8%C5%84n%C2%B0%C8%99%D0%B4%C4%BE%C3%B3%C3%A1%C3%A5%E0%B8%84%E0%B9%89%C3%A7%D0%B6%C4%90.zip&cksum=1225205368&addparms=Name%7C%7C%7CF%D0%A9%E4%B8%AD%E7%A2%BA%C5%98%C3%86W%C5%A0d%27%C3%9C%CE%94%C3%A1%21%C3%A8%E3%81%AB%EB%AC%B8%C5%84n%C2%B0%C8%99%D0%B4%C4%BE%C3%B3%C3%A1%C3%A5%E0%B8%84%E0%B9%89%C3%A7%D0%B6%C4%90%3B%3B%3B
HTTP/1.1" 200 0 "-" "curl/7.79.1"
When the request is received by the application running within tomcat, url
is decoded as
URL=http://localhost:8080/233.0.100?event=autoproc&fn=F
Щ中確ŘÆWŠd'ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip&cksum=1225205368&addparms=Name|||FЩ中確ŘÆWŠd'ÜΔá!èに문ńn°șдľóáåค้çжĐ;;;
If I decode the fn param in the url, it should
be FЩ中確ŘÆWŠd'ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip rather
FЩ中確ŘÆWŠd'ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip.
Notice the character after d. It is ' (quote), but tomcat decodes as "39;".
Default LANG is en_US.UTF-8 and connector in conf/server.xml.
why is tomcat not url decoding correctly?
Tomcat is decoding it correctly (I've just tested this with a trivial
JSP). Something, NOT tomcat, is HTML escaping the value. Generally, you
want the HTML escpaing because displaying user provided data that
contains unescaped quotes is likely to expose an XSS vulnerability.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org