-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Garret,
On 2/4/19 17:22, Garret Wilson wrote: > On 2/4/2019 7:31 PM, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Garret, >> >> On 2/3/19 16:20, Garret Wilson wrote: >>> If we want to look up the thing identified by >>> https://example.info/foobar, we would need to issue a request >>> to >>> https://example.com/https%3A%2F%2Fexample.info%2Ffoobar/description >> >>> Why >> are you %-encoding the slashes at all? They are perfectly legal >> as-is. > > > Hmmm… So let's say my RESTful API endpoint is > https://example.com/{thingURI}/description as I mentioned. (Yes, I > know that RESTful APIs don't have to be meaningful or structured as > long as we use HATEOAS, but… a lot of us like them.) So you're > saying that to request information for the resource > https://example.info/foobar, I would send a GET request to: > > https://example.com/https%3A//example.info/foobar/description > > That raises all sorts of questions, such as > > * The double slash is OK? Really!?? * Is there any RESTful API > framework on the planet that would realize the URI path > "/https%3A//example.info/foobar/description" matched > "{thingURI}/description"? So if I'm using JAX-RS with a > @Path("{thingURI}/description") with a string > @PathParam("thingURI") thing, JAX-RS would set the "thing" > parameter to "https://example.info/foobar";?? I highly doubt that. I've never used a RESTful API framework, but you can always pull the full URI from a request and do whatever you want with it. > Either I'm missing something and I'm going to learn something cool; > or you missed some of the details of what I wrote. :) If I'm > missing something, please explain because I'm ready to learn! No, I got it. I just didn't realize that the opaqueness of the {thingURI} had to be ... so opaque. The only problem you are running into is the inertia of history. http://example.com/foo%2fbar has sometimes been interpreted to mean the same thing as http://example.com/foo/bar even though it should never have been so. Erring on the side of security seems to be a Good Thing these days. If your application isn't rendered insecure by setting ALLOW_ENCODED_SLASH=true, then by all means, use it. As for not setting it for the whole server, that's hard to do, since the URL-decoding must happen before the request is mapped to a particular application. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZpQsACgkQHPApP6U8 pFgIURAAkpcL2vbU74izgIIabjQaMw0bN8edMG4kiPNJYlzGha+FE0IrFopywXAP Cihmt108aW3toFyNhFEB+4VtuNtMFN2zz+wtLijZX9+rcn8v/W06Ya06BR62IvNz m4/S3kB0wWEIynktB935qmh+KqVmVfcyEk8IMKslWOuxKQ1Dp/zL8tniHSwGpRR4 VxGIX4Tmh1V8T8iBurJhJlsiltCEJxLQ1lPVYjV6Or9UJpl0B//Cl69b7rl4svo0 nz5ZOp5JHe6x9eI4oMQ8DUZH62oIHjCCk3V0CP/w0grAz1xmVdgB1Rnc8Q87O9Da rqJwTiZcCBRoVKsLm1JADSxEa3HoWYhyHxdNaBmeTRtsA5+RRQ9hZvy1p1DQRFDW dVUAMgUIr5snaa+oac17zvjeBMHq0AgAPU84V80U6ed69+jhSDYg+rFp7nfYwEQE tpeunyxnah5FfMyBLj/omRviFm5LtTEw6wqBDxLAGK2H4bXr9pyrCb3BKBMpbQeB SeiUhOWEdGyMCoroKG8kkMSnYtci5b/PA86nPSB7MA5Zhw++tioLxdH3ipJZH6uX Bvp30LbnkX3a3aVG4ga0ykNmETJXgQPX2EJtvrUBdnAB3Sv1MKBpDzWPUA+ZJcMe 77SCkRWKSNjRJIoiyJoj0mPSSP80+vduQtfe+5BZT8qZoaTceTc= =stKv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
