WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: java.net.URI.normalize() problem

From: Garth Somerville <therealgarth () yahoo com>
Date: Fri, 18 Feb 2005 11:19:37 -0800 (PST)

--- Felipe Moreno <fmoreno () gmail com> wrote:


I don't see any reason to use the path instead of
decodedPath (other than a bug).  Any thoughts?


The behavior is correct.  One of the three legitimate
reasons characters are escaped in URLs is to *prevent*
them from having their normal meaning in the URL.  You
can't ask the URI class to distinguish the case where
the character is encoded to hide its intention to have
the normal meaning.

If you believe the URI class should threat the
following as being the same URL:

http://foo.com/A/B
http://foo.com/A%2FB

then what do you think it should do with these two?

http://foo.com/A?hello/there
http://foo.com/A%3Fhello/there

Should they have the same meaning?


                
__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo
Previous By Date Next
Previous By Thread Next

Current thread: