> On Tue, 16 Apr 2002, Remy Maucherat wrote: > > > Thanks. > > Since the problem is real, I've put in a fix (it will return 400 the way > > 4.0.x does). > > > > I'm not sure why it happens though. > > I think because the file extension is ".jsp\0", it gets mapped to the > > default servlet, which would then attempt to serve the resource. On Windows, > > I was getting a 404, so my guess is that it was trying to get 'foo.jsp\0' > > (and failing correctly), while on Unix the file would be found (somehow). > > > > IIRC, this is the same as what we saw the last time this kind of thing > showed up -- and it was ultimately because of the filesystem logic on the > underlying OS. Such a runtime written in C (like most Unix stuff is) will > not have any problem at all accepting "foo.jsp\0" and treating it as a > reference to "foo.jsp" -- because null bytes delimit Strings in the C I/O > library.
Thanks for the explanation. Refusing a null character in a decoded URL seems like a safe choice. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
