[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [servlet-dev] Clarification per #18 - draft for review
|
On 01/10/2021 17:50, Joakim Erdfelt wrote:
Thanks.
Do we need to talk about Encoding for things like the `Location`
response header?
Yes.
Does this URI Path Canonicalization also impact usage from things like
the `ServletContext.getRequestDispatcher(String)` ?
Yes.
This is just one of several write ups that should appear in the next few
days for discussion on list. The other write ups should cover
RequestDispatcher. I don't think Location was mentioned but I suspect
once we have all the write ups it will be a case of "Treat location like
...". If that doesn't work, we'll have to figure out a Location specific
solution.
Mark
On Fri, Oct 1, 2021 at 10:36 AM Mark Thomas <markt@xxxxxxxxxx
<mailto:markt@xxxxxxxxxx>> wrote:
Updated.
Changing the title changed the link. It is now:
https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Path-Canonicalization
<https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Path-Canonicalization>
Mark
On 01/10/2021 16:30, Mark Thomas wrote:
> On 01/10/2021 15:55, Joakim Erdfelt wrote:
>> The text makes it seem more of a URI _Path_ Canonicalization.
>
> It is. I'll update the text.
>
>> First thing that jumps out at me is the do not decode `%2F` and
`%2C`
>> lines.
>> Did you mean `%2C` (comma ",")?
>
> Sorry. Typo. I meant %5C - '\'. I'll fix that. I need to add '\'
as well.
>
>> Perhaps you meant `%25` (percent symbol "%")
>>
>> Also what about a unicode sequence that ends in those two?
>> What about someone that wants to access a resource (on the
filesytem
>> or in a META-INF/resources) that has
>> `/path;of/some;thing/like;this/main.css`? The only way to
access that
>> is using encoded %3B, right?
>> Now what if it's stored on disk (or META-INF/resources) like
>> `/path%3Bof/some%3Bthing/like%3Bthis/main.css`? That would mean
>> accessing it with `%253B` encoded percent then "3B", right?
(have to
>> be careful of double-decode here, as usual)
>> Why only `%2F` (forward slash "/") and not also `%5C` (backslash
"\")?
>> Seems like that has multiple meanings too. (windows pathsep,
escaping,
>> etc)
>> The META-INF/resources layer in JAR files makes things ambiguous
here
>> too. (you can create a JAR file with backslash character in the
>> filename on Linux, but cannot access it on Windows, and vice-versa
>> with the forward slash character).
>
> I think the short version is that won't be allowed by default.
> Containers might provide an option to enable it.
>
> Thanks for the review.
>
> Mark
>
>>
>>
>> On Fri, Oct 1, 2021 at 5:59 AM Mark Thomas <markt@xxxxxxxxxx
<mailto:markt@xxxxxxxxxx>
>> <mailto:markt@xxxxxxxxxx <mailto:markt@xxxxxxxxxx>>> wrote:
>>
>> Hi all,
>>
>> The draft of the proposed clarification for URI
canonicalization
>> is on
>> the wiki:
>>
>>
https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization>
>>
<https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization
<https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization>>
>>
>> Feedback welcome.
>>
>> Mark
>> _______________________________________________
>> servlet-dev mailing list
>> servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
<mailto:servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>>
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/servlet-dev
<https://www.eclipse.org/mailman/listinfo/servlet-dev>
>> <https://www.eclipse.org/mailman/listinfo/servlet-dev
<https://www.eclipse.org/mailman/listinfo/servlet-dev>>
>>
>>
>> _______________________________________________
>> servlet-dev mailing list
>> servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/servlet-dev
<https://www.eclipse.org/mailman/listinfo/servlet-dev>
>>
>
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/servlet-dev
<https://www.eclipse.org/mailman/listinfo/servlet-dev>
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/servlet-dev
<https://www.eclipse.org/mailman/listinfo/servlet-dev>
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev