What was unexpected for me, was that even if the the symbol is URL encoded, it was still stripped out by tomcat. I understand now allowing a backslash in a URL, however if it is URL encoded as %5C then why not allow it? Maybe I'm missing something
On Fri, Oct 13, 2017 at 7:17 AM, i...@flyingfischer.ch <i...@flyingfischer.ch> wrote: > Am 13.10.2017 um 12:48 schrieb Alex O'Ree: >> Well that explains a lot. Similar issue for me. With url encoding, tomcat >> is dropping back slash and the plus symbol. > > While I think it is perfectly eligible to strive for a most perfect > alignement with standards and specs, I think Tomcat should allow a > reasonnable set of characters to be optionally allowed (as they already > are in Tomcat up to 8.5). > > I am aware that these options may be a security issue and that the > documentation should state that clearly. However it is not always > possible to correct the environment to be "standard" compatible and the > educational approach by not allowing these options is understandable but > may be not appropriate in many situations. > > Best regards > Markus > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
