java.net.URI.normalize() problem

[Felipe Moreno <fmoreno () gmail com>]

Hi all,

I am working in a J2EE filter to implement an URL-based access control
on a web application. To avoid the possibility of bypassing the
control using manipulated URL paths I was planning on using the
normalize() method in java.net.URI class before applying regexp
filters.

But after some tests (URL and unicode encoded paths) I have found out
that it does not really work. In fact, this method normalizes the path
attribute of the URI object and not the decodedPath as I expected (I'm
using 1.4.2_06). Normalizing before decoding allows for a lot of URL
manipulation attacks like for example:

The URL /images/gif/..%2F../admin/login.jsp will be transformed to
/images/gif/../../admin/login.jsp instead of /admin/login.jsp because
normalize() fails to see %2F as a "/" as one should expect. This could
allow someone to bypass the filters blocking access using a regexp
like /admin.* on the (supposed) normalized form.

I don't see any reason to use the path instead of decodedPath (other
than a bug).  Any thoughts?

So I have implemented my own normalize() method, but I would like to
know what do the people on the list use for URL normalization?

Regards,

Felipe.