incorrect decoding of URL in getServletPath()
Status: Beta
Brought to you by:
rickknowles
HttpServletRequest.getServletPath() decodes URL incorrectly. Specifically, it decodes '+' to ' ', which is just defined for query string but not for the URL in general.
The bug is in WebAppConfiguration.java line 1279. From what it seems like you need a different version of the decodeURLToken() method.
Logged In: YES
user_id=179238
Originator: YES
Oh, and any plan to replease 0.9.10? I know you've made a few other bug fixes and I'd like to pick them up, too.
Logged In: YES
user_id=716353
Originator: NO
I'm thinking of making the next one v1.0 ...
Not trying to argue the point here, but the wikipedia article mentions two RFCs about URI encoding to back up it's point, and I can't seem to find any mention in the RFCs it quotes that the "+" behaviour should differ.
I'm "going deep" on the verification for this one because of some bad experiences with the MS WebFolders WebDAV client on Windows with japanese chars, so if I change it I want to be 100% sure I understood the spec right. I don't put a lot of stock in Wikipedia directly, especially after the recent "Fox news whitewashing wikipedia" stories on reddit.
If you can help me by finding the section I couldn't, I'll be very appreciative and gladly change it to match, assuming it doesn't break IE and firefox (which can't automatically be assumed from spec compliance).
Thanks,
Rick
Logged In: YES
user_id=179238
Originator: YES
http://tools.ietf.org/html/rfc1738 end of section 2.2, it says:
> Thus, only alphanumerics, the special characters "$-_.+!*'(),", and
> reserved characters used for their reserved purposes may be used
> unencoded within a URL.
So '+' is indeed allowed as un-escaped in URL.
Also see RFC 2396 (http://tools.ietf.org/html/rfc2396) and compare section 3.3 and 3.4. The path component includes '+' as a valid char, but 3.4 says '+' is reserved.
Logged In: YES
user_id=716353
Originator: NO
OK thanks - that was exactly what I was looking for. It's clearly more than just the plus sign, which is what concerned me.
I'll get in and do this in the next day or two, and if you can give it a try and say it's ok or not, I'll push it out as v0.9.10 straight away. v1.0 should probably wait a bit.
Thanks again,
Rick