Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1886

Request dispatcher is returned when the path points to outside the servlet context

XMLWordPrintable

      In Undertow, when the class io.undertow.util.CanonicalPathUtils is used to canonicalize a given path URI, it may ignore some two-dot segments (../) when the calculated path goes beyond/outside the servlet context.

      The javadoc of getRequestDipatcher says:

      The pathname specified may be relative, although it cannot extend outside the current servlet context. If the path begins with a "/" it is interpreted as relative to the current context root. This method returns null if the servlet container cannot return a RequestDispatcher.

      So a path like /../../../something is currently returning the dispatcher to /something which is against the spec or at least very weird. Returning null is much more aligned with the spec and with the reference implementation.

      There will be a way (system property) of setting back the previous behavior just in case.

        1. IssueTest.war
          2 kB
          Ricardo Martin Camarero

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: