----- Original Message -----
From: "Mark Thomas" <[EMAIL PROTECTED]>
To: "'Tomcat Developers List'" <[EMAIL PROTECTED]>
Sent: Sunday, June 20, 2004 9:26 AM
Subject: RE: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5
CoyoteResponse.java
> Bill,
>
> Thanks for implementing a patch for TC5. I looked at porting it to TC4 and
> noticed that the implementation of toAbsolute() is very different. Looking
> through the CVS logs, the TC4 implementation used to be the same as TC5
but you
> changed it back in Oct 2002. I can see pros and cons of both
implementations. Is
> one significantly better than the other and if so is it worth changing the
other
> one? If not, I propose to add a 'location.startsWith("mailto:";)' test to
TC4 to
> fix bug 18147. What do you think?
>
My change back in 2002 was from java.net.URL to o.a.t.u.net.URL. It was
Remy that didn't like all the garbage it produced for TC5 :).
Now, TC5 is probably better than TC4. I also don't think that this is a
critical call, so I don't think it really matters. The check for 'is an
absolute URL' is pretty much the same for well-formed URLs, but TC5 doesn't
generate garbage in checking. It's true that TC5 doesn't correctly handle
the case of 'sendRedirect("//www.yahoo.com")', but I doubt that it is that
big of an issue.
To keep the current method of TC4, I'd go with:
if(url.getAuthority() == null)
return location
(we might as well allow 'news:' as well :).
> Thanks,
>
> Mark
>
>
>
> > -----Original Message-----
> > From: Bill Barker [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, June 19, 2004 9:47 PM
> > To: Tomcat Developers List
> > Subject: Re: cvs commit:
> > jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/t
> > omcat5 CoyoteResponse.java
> >
> >
> > ----- Original Message -----
> > From: "Mark Thomas" <[EMAIL PROTECTED]>
> > To: "'Tomcat Developers List'" <[EMAIL PROTECTED]>
> > Sent: Saturday, June 19, 2004 11:50 AM
> > Subject: RE: cvs commit:
> > jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5
> > CoyoteResponse.java
> >
> >
> > > Fair point - I'll revert it now. Is your objection to the concept of
> > supporting
> > > mailto in redirect or just this bad implementation of it? I
> > have seen some
> > uses
> > > of this and some users must want to do it or the bug report
> > would never
> > have
> > > been filed. I am happy to work on a better implementation.
> > >
> >
> > I don't care one way or the other about supporting mailto in
> > a redirect.
> >
> > I believe that the check used to be done by testing if a
> > o.a.t.u.net.URL
> > could be constructed from the 'location', and consider it
> > absolute if it
> > could be. A well-formed mailto URI would pass this test.
> > This one would
> > also fail something like
> > 'foobar.html?uri=http://myserver/myapp', which
> > currently passes. The current code is supposed to be an
> > optimization to
> > save the time (and garbage) of parsing a URI that just gets
> > thrown away.
> >
> > I could probably live with 'location.startsWith("mailto:";)'
> > (and, even,
> > "news:"; :) as a compromise.
> >
> > > Mark
> > >
> > > > -----Original Message-----
> > > > From: Bill Barker [mailto:[EMAIL PROTECTED]
> > > > Sent: Saturday, June 19, 2004 7:56 PM
> > > > To: Tomcat Developers List
> > > > Subject: Re: cvs commit:
> > > > jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/t
> > > > omcat5 CoyoteResponse.java
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Saturday, June 19, 2004 11:14 AM
> > > > Subject: cvs commit:
> > > >
> > jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5
> > > > CoyoteResponse.java
> > > >
> > > >
> > > > > markt 2004/06/19 11:14:23
> > > > >
> > > > > Modified: catalina/src/share/org/apache/coyote/tomcat5
> > > > > CoyoteResponse.java
> > > > > Log:
> > > > > Fix bug 18147. Prevent mailto URLs from being mangled in
> > > > re-directs.
> > > > > - Ported from TC4
> > > > >
> > > >
> > > > Big huge -1. Please revert this, since it is questionable
> > > > that it fixes any
> > > > real problem, and it breaks plenty of things (e.g.
> > > > sendRedirect("mailto.html")).
> > > >
> > > >
> > >
> > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
