Re: [servlet-dev] Clarification per #18 - draft for review

[Mark Thomas <markt@xxxxxxxxxx>]

On 01/10/2021 17:50, Joakim Erdfelt wrote:
> Thanks.
>
> Do we need to talk about Encoding for things like the `Location` 
> response header?

Yes.

> Does this URI Path Canonicalization also impact usage from things like 
> the `ServletContext.getRequestDispatcher(String)` ?

Yes.

This is just one of several write ups that should appear in the next few 
days for discussion on list. The other write ups should cover 
RequestDispatcher. I don't think Location was mentioned but I suspect 
once we have all the write ups it will be a case of "Treat location like 
...". If that doesn't work, we'll have to figure out a Location specific 
solution.

Mark


> On Fri, Oct 1, 2021 at 10:36 AM Mark Thomas <markt@xxxxxxxxxx 
> <mailto:markt@xxxxxxxxxx>> wrote:
>
>     Updated.
>
>     Changing the title changed the link. It is now:
>
>     https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Path-Canonicalization
>     <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Path-Canonicalization>
>
>     Mark
>
>
>     On 01/10/2021 16:30, Mark Thomas wrote:
>      > On 01/10/2021 15:55, Joakim Erdfelt wrote:
>      >> The text makes it seem more of a URI _Path_ Canonicalization.
>      >
>      > It is. I'll update the text.
>      >
>      >> First thing that jumps out at me is the do not decode `%2F` and
>     `%2C`
>      >> lines.
>      >> Did you mean `%2C` (comma ",")?
>      >
>      > Sorry. Typo. I meant %5C - '\'. I'll fix that. I need to add '\'
>     as well.
>      >
>      >> Perhaps you meant `%25` (percent symbol "%")
>      >>
>      >> Also what about a unicode sequence that ends in those two?
>      >> What about someone that wants to access a resource (on the
>     filesytem
>      >> or in a META-INF/resources) that has
>      >> `/path;of/some;thing/like;this/main.css`?  The only way to
>     access that
>      >> is using encoded %3B, right?
>      >> Now what if it's stored on disk (or META-INF/resources) like
>      >> `/path%3Bof/some%3Bthing/like%3Bthis/main.css`? That would mean
>      >> accessing it with `%253B` encoded percent then "3B", right?
>     (have to
>      >> be careful of double-decode here, as usual)
>      >> Why only `%2F` (forward slash "/") and not also `%5C` (backslash
>     "\")?
>      >> Seems like that has multiple meanings too. (windows pathsep,
>     escaping,
>      >> etc)
>      >> The META-INF/resources layer in JAR files makes things ambiguous
>     here
>      >> too. (you can create a JAR file with backslash character in the
>      >> filename on Linux, but cannot access it on Windows, and vice-versa
>      >> with the forward slash character).
>      >
>      > I think the short version is that won't be allowed by default.
>      > Containers might provide an option to enable it.
>      >
>      > Thanks for the review.
>      >
>      > Mark
>      >
>      >>
>      >>
>      >> On Fri, Oct 1, 2021 at 5:59 AM Mark Thomas <markt@xxxxxxxxxx
>     <mailto:markt@xxxxxxxxxx>
>      >> <mailto:markt@xxxxxxxxxx <mailto:markt@xxxxxxxxxx>>> wrote:
>      >>
>      >>     Hi all,
>      >>
>      >>     The draft of the proposed clarification for URI
>     canonicalization
>      >> is on
>      >>     the wiki:
>      >>
>      >>
>     https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization>
>
>      >>
>     <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization
>     <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization>>
>      >>
>      >>     Feedback welcome.
>      >>
>      >>     Mark
>      >>     _______________________________________________
>      >>     servlet-dev mailing list
>      >> servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
>     <mailto:servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>>
>      >>     To unsubscribe from this list, visit
>      >> https://www.eclipse.org/mailman/listinfo/servlet-dev
>     <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>      >>     <https://www.eclipse.org/mailman/listinfo/servlet-dev
>     <https://www.eclipse.org/mailman/listinfo/servlet-dev>>
>      >>
>      >>
>      >> _______________________________________________
>      >> servlet-dev mailing list
>      >> servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
>      >> To unsubscribe from this list, visit
>      >> https://www.eclipse.org/mailman/listinfo/servlet-dev
>     <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>      >>
>      >
>      > _______________________________________________
>      > servlet-dev mailing list
>      > servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
>      > To unsubscribe from this list, visit
>      > https://www.eclipse.org/mailman/listinfo/servlet-dev
>     <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>
>     _______________________________________________
>     servlet-dev mailing list
>     servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
>     To unsubscribe from this list, visit
>     https://www.eclipse.org/mailman/listinfo/servlet-dev
>     <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>
>
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev