#13 incorrect REQUEST_URI when index.php is set as a welcome fil

closed
None
5
2010-08-13
2010-08-06
Mingfai
No

In jetty, $_SERVER['REQUEST_URI'] shows incorrect request_uri when index.php is used as a welcome file. request to / is transparently forwarded to /index.php by Jetty, and the request_uri in PHP is the forwarded uri ("/index.php") instead of the original request uri ("/")

JavaBridge is using the following code to obtain the request_uri in FastCGIServlet.java:
env.requestUri = (String) req.getAttribute("javax.servlet.include.request_uri");
if (env.requestUri == null) env.requestUri = req.getRequestURI();

In my Jetty environment, req.getAttribute("javax.servlet.include.request_uri") returns null, however, req.getAttribute("javax.servlet.forward.request_uri") will return the correct uri before forwarding. (i.e. "/test/" instead of "/test/index.php")

Both javax.servlet.include.request_uri and javax.servlet.forward.request_uri are defined in the Servlet spec. For include, in Servlet spec 8.3.1, it is stated that:

javax.servlet.include.request_uri
...
These attributes are accessible from the included servlet via the getAttribute method on the request object and their values must be equal to the request URI, context path, servlet path, path info, and query string of the included servlet, respectively. If the request is subsequently included, these attributes are replaced for that include.

For forward, in Servlet spec 8.4.2, it is stated that:

javax.servlet.forward.request_uri
...

The values of these attributes must be equal to the return values of the HttpServletRequest methods getRequestURI, getContextPath, getServletPath, getPathInfo, getQueryString respectively, invoked on the request object passed to the first servlet object in the call chain that received the request from the client.

A simple solution is to replace javax.servlet.include.request_uri with javax.servlet.forward.request_uri as the latter one is said as the first servlet request uri, i.e. it won't use the forwarded uri. Or just check both attributes.

Regardless of what the Servlet spec said, Tomcat and Jetty are the two most popular open source servlet engine and I'll test the behavior in Tomcat and make sure we can get the correct request_uri in both servlet engines before submitting a patch.

also see the mail list message with the same title

Discussion

  • Mingfai

    Mingfai - 2010-08-06

    Tested in Tomcat. For welcome/index file, getRequestURI() shows the correct URI, i.e. / instead of /index.php

    Tomcat didn't implement both javax.servlet.* attributes.

    As the current code included the javax.servlet attribute checking line:
    env.requestUri = (String) req.getAttribute("javax.servlet.include.request_uri");

    i believe you have developed it to support another servlet container that getRequestURI will not show the correct URI in some cases. I suggest we just stack the checking from forward.request_uri -> include.request_uri -> getRequestURI()

     
  • Mingfai

    Mingfai - 2010-08-06
     
  • Mingfai

    Mingfai - 2010-08-06

    uploaded a patch. it basically add one more checking for the javax.servlet.forward.request_uri attribute. It is required to make the REQUEST_URI variable work for Jetty. And it won't affect other servlet containers that doesn't implement javax.servlet.forward.request_uri attribute.

     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-11
    • assigned_to: nobody --> jost_boekemeier
    • status: open --> closed
     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-11

    Won't fix.

    <!--from.jsp-->
    <jsp:forward page="to.php"/>

    should point to "to.php", not to "from.jsp".

    It isn't possible to workaround this jetty bug.

     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-12
    • status: closed --> open
     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-12

    > it seems to me the definition of REQUEST_URI is a grey area so don't worry
    > if our views are different.

    From

    => http://www.php.net/manual/en/reserved.variables.server.php

    'REQUEST_URI'
    The URI which was given in order to access this page; for instance, '/index.html'.

    ...

    But from the comments below:

    danny at orionrobots dot co dot uk
    31-Jul-2008 09:25
    It is worth noting here that if you use $_SERVER['REQUEST_URI'] with a rewrite rule, the original, not rewritten URI will be presented.

    I have changed your ticket state back to open.

     
  • Mingfai

    Mingfai - 2010-08-12

    >Tomcat didn't implement both javax.servlet.* attributes.
    previously, i mentioned in the comment that Tomcat doesn't implement javax.servlet.* attribute. It's not true. If there is actually a servlet forward, the javax.servlet.forward.* attributes will be available. Tomcat simply didn't treat welcome file as a kind of forwarding. (unlike jetty)

    so, what Jost mentioned in the mail list is right. My patch and proposed change will change the current behavior.

    If we won't change the REQUEST_URI definition, i suggest to change
    FastCGIServlet.Environment from private to protected, so we could easily extend the FastCGIServlet and override the
    protected void setupRequestVariables(HttpServletRequest req, Environment env) method.

    currently, the method is set as protected but Environment is private so the method cannot be overridden.

     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-13

    Fixed in CVS head.

    Thank you very much for contributing this patch!

     
  • Jost Bökemeier

    Jost Bökemeier - 2010-08-13
    • status: open --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks