On 09.08.24 11:51, Patil, Tushar wrote:
Hi Mark,
We are more curious to understand why the pipe character was working fine in 9.x.x
series & not working in 10.x.x series? Is there any enhancement done by tomcat
in 10.x.x series for blocking pipe character.
Can we get any documentation, which will help us to understand the reason for
why it was working earlier?
Does it matter?
From https://bz.apache.org/bugzilla/show_bug.cgi?id=60594:
"The valid characters are defined in RFC 7230 and RFC 3986"
No matter why they worked, it is clearly a bug to rely on them as
they're explicitly illegal.
Just assume it was a bug that the characters haven't been checked
appropriately, but now they are. And fix it in your application
Given the reasons for the fix (e.g. avoiding cache poisoning), and given
that you know they're illegal characters: No matter why this issue
slipped in any prior version (and even for those versions): You
definitely should change your implementation. Keep in mind that your
application might also break randomly on any client's proxy if that
proxy is validating legal characters. You're now looking at the root
cause and can fix it without some unknown external user stating that
your application does not work /for them/. (because of their proxy, but
they won't even have the idea to tell you that they're using a proxy to
begin with).
It's the wrong question to worry about.
Olaf
