Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [servlet-dev] Clarification per #18 - draft for review 
Updated.

Changing the title changed the link. It is now:

https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Path-Canonicalization

Mark


On 01/10/2021 16:30, Mark Thomas wrote:

On 01/10/2021 15:55, Joakim Erdfelt wrote:

The text makes it seem more of a URI _Path_ Canonicalization.


It is. I'll update the text.
First thing that jumps out at me is the do not decode `%2F` and `%2C` lines. 
Did you mean `%2C` (comma ",")?


Sorry. Typo. I meant %5C - '\'. I'll fix that. I need to add '\' as well.


Perhaps you meant `%25` (percent symbol "%")

Also what about a unicode sequence that ends in those two?
What about someone that wants to access a resource (on the filesytem or in a META-INF/resources) that has `/path;of/some;thing/like;this/main.css`?  The only way to access that is using encoded %3B, right? Now what if it's stored on disk (or META-INF/resources) like `/path%3Bof/some%3Bthing/like%3Bthis/main.css`? That would mean accessing it with `%253B` encoded percent then "3B", right? (have to be careful of double-decode here, as usual) Why only `%2F` (forward slash "/") and not also `%5C` (backslash "\")? Seems like that has multiple meanings too. (windows pathsep, escaping, etc) The META-INF/resources layer in JAR files makes things ambiguous here too. (you can create a JAR file with backslash character in the filename on Linux, but cannot access it on Windows, and vice-versa with the forward slash character).
I think the short version is that won't be allowed by default. Containers might provide an option to enable it. 

Thanks for the review.

Mark
On Fri, Oct 1, 2021 at 5:59 AM Mark Thomas <markt@xxxxxxxxxx <mailto:markt@xxxxxxxxxx>> wrote: 

    Hi all,
    The draft of the proposed clarification for URI canonicalization is on 
    the wiki:
https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization <https://github.com/eclipse-ee4j/servlet-api/wiki/URI-Canonicalization> 

    Feedback welcome.

    Mark
    _______________________________________________
    servlet-dev mailing list
    servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/servlet-dev
    <https://www.eclipse.org/mailman/listinfo/servlet-dev>


_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev 



_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev

Back to the top