On Jan 14, 2009, at 10:16 AM, Jean-Christophe Counio wrote:
> Thanks Paul for the investigation. Yes it seems it is a constraint
> containers put due to security
> flaw (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450),
> not really a bug then,
> but it will force me to double-encode anyway.
>
Hmm... i understand this makes sense for the case of a Web server
returning static files but for servlets i do not understand why this
constraint should apply. If the request is to be dispatched to the
servlet why is such a security constraint enforced? I think it is
still a bug.
Paul.