On Thu, 13 Sep 2001, Lars Oppermann wrote:
> > I agree that this URI handling sucks. I'm the one that
> > committed the change that made it happen and I still
> > think it sucks. However, allowing these encoded characters
> > opens some very large security problems.
>
> From what I understand, these security problems are all related to
> mapping URIs to filesystem paths. So how do you feel about doing this
> processing in the filesystem (default) servlet?
It is not related only with the filesystem, but with the whole
security-constraint and servlet-mapping system ( both of them require
exact match and don't take into account 'hacked' URLs that would pass
security constraints and be mapped via extension-mapped or default
servlets ).
In addition, keep in mind the user is allowed to replace the default
servlet, and it may use other file-system dependent servlets. And if we
had so many problems with checking this, I doubt most users will be able
to put the right checks in their servlets.
But this is pointless - as long as a security constraint can be bypassed
by a double-slash or similar things, and you can have extension-mapped
resources ( most very unlikely to do the adequate checks ), I don't think
we can even discuss not normalizing the request.
Costin
