Java Reading Undecoded URL from Servlet

Question

Let\'s presume that I have string like \'=&?/;#+%\' to be a part of my URL, let\'s say like this:

example.com/servletPath/someOtherPath/myString/something.ht         


        

Answer 1

There is a fundamental difference between '%2F' and '/', both for the browser and the server.

The HttpServletRequest specification says (without any logic, AFAICT):

• getContextPath: not decoded
• getPathInfo: decoded
• getPathTranslated: not decoded
• getQueryString: not decoded
• getRequestURI: not decoded
• getServletPath: decoded

The result of getPathInfo() should be decoded, but the result of getRequestURI() must not be decoded. If it is, your Servlet container is breaking the spec (as Wouter Coekaerts and Francois Gravel correctly pointed out). Which Tomcat version are you running?

Making matters even more confusing, current Tomcat versions reject paths that contain encodings of certain special characters, for security reasons.