Re: Tomcat 3.2.3 and getPathInfo

Mon, 10 Sep 2001 21:39:45 -0700 

I'd still like to see Tomcat allow the slashes.  Here's my argument:

* Allowing two adjacent slashes to remain is not a security risk
* The Apache Web Server allows the slashes to remain
* Tomcat used to allow the slashes to remain
* Code (like mine) which used to work with Tomcat is now breaking
* It's breaking a book example too, which may cause lots of bug reports
(to both of us)
* Unless the spec says to normalize beyond what's necessary, Tomcat
shouldn't normalize beyond what's necessary

-jh-

Marc Saegesser wrote:
> 
> After looking into this further I've changed my mind.  I've tried this using
> other web servers (iPlanet, IIS 4.0 and 5.0) and in all cases the value in
> PATH_INFO has been fully normalized including removing adjacent /
> characters.  IIS gets the contents of PATH_INFO wrong, but it is fully
> normalized.  The CGI 1.1 specification is silent on this topic (like it is
> on most other important details).
> 
> I think we should leave Tomcat as it currently is in 3.2.3.  If you need to
> pass data to a servlet in the URL and that data *must not* be susceptible to
> URL normalization then the data *must* be in the query string.
> 
> Marc Saegesser
> 
> > -----Original Message-----
> > From: Jason Hunter [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, August 27, 2001 8:45 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Tomcat 3.2.3 and getPathInfo
> >
> >
> > Marc Saegesser wrote:
> > >
> > > Using Apache 1.3.19 here's what I see.  Apache does normalize
> > the URL but
> > > there is a small difference between what it does and what Tomcat does.
> > > Apache does not remove multiple adjacent / characters.  For example,
> > >
> > > http://server/cgi-bin/script/fu/bar --> PATH_INFO = /fu/bar
> > > http://server/cgi-bin/script/fu/../bar --> PATH_INFO = /bar
> > > http://server/cgi-bin/script/fu//bar --> PATH_INFO = /fu//bar
> > >
> > > The multiple adjacent / characters don't seem to have any
> > effect on locating
> > > resources.  For example,
> > >
> > > http://server///////cgi-bin/script/fu/bar
> > >
> > > works just fine.  Unless other comitters feel otherwise, I'll work on
> > > changes to the tomcat_32 branch to make path info work as it
> > does with CGI
> > > in Apache.
> >
> > Perfect, then my issue (at least) would be solved.
> >
> > -jh-

Reply via email to