Jason Lee wrote on 06/ 2/10 09:47 AM:
> Shing Wai (and Amy) tell me that the web container suffers from the same
> vulnerability that the Tomcat changelog warns of. Ken and I have both
> confirmed this via testing (curl http://localhost:8080/foo%2Fbar.html
> returns the contents of foo/bar.html when it shouldn't).
And do they say why that can't, or shouldn't, be fixed?
Does the servlet spec have anything to say about this behavior?
Should it?
I don't understand why it should *ever* automatically decode URLs.
If I enter "
http://java.sun.com%2fjavaee" in a browser, it fails
as expected. What is depending on the decoding being done automatically?
Being able to configure this per web app seems like a good compromise,
in case there's code out there that depends on this.