You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: spec/src/main/asciidoc/servlet-spec-body.adoc
+4-3
Original file line number
Diff line number
Diff line change
@@ -1331,10 +1331,8 @@ Characters other than `/`, `;` and `%` that are encoded in `%nn` form are decode
1331
1331
Any sequence of more than one `"/"` character in the URI must be replaced with a single `"/"`.
1332
1332
1333
1333
==== Remove dot-segments+
1334
-
* A path not starting with "/" must be rejected with a 400 response.
1335
1334
* Sequences of the form `"/./"` must be replaced with `"/"`.
1336
1335
* Sequences of the form `"/" + segment + "/../"` must be replaced with `"/"`.
1337
-
* If there is no preceding segment for a `".."` segment then return a 400 response.
1338
1336
1339
1337
==== Removal of path parameters
1340
1338
A path segment containing the `";"` character is split at the first occurence of `";"`. The segment is replaced by the character sequence preceeding the `";"`. The characters following the `";"` are considered a path parameters and may be preserved by the container for later processing (eg `jsessionid`).
@@ -1346,11 +1344,14 @@ Any remaining `%nn` sequences in the path should be decoded. Some containers may
1346
1344
The decoded path is used to map the request to a context and resource within the context. This form of the URI path is used for all subsequent mapping (web applications, servlet, filters and security constraints).
1347
1345
1348
1346
==== Rejecting Suspicious Sequences
1349
-
If suspicious sequences are discovered during the prior steps, the request must be rejected with a 400 bad request using the error handling of the matched context. By default the set of suspicious sequences includes:
1347
+
If suspicious sequences are discovered during the prior steps, the request must be rejected with a 400 bad request. If a context is matched the the error handling of the context may be used to generate the response. By default the set of suspicious sequences includes:
1350
1348
1349
+
* Any path not starting with the `"/"` character
1350
+
* Any path starting with an initial segment of `".."`
1351
1351
* The encoded `"/"` character
1352
1352
* Any `"."` or `".."` segment that had a path parameter
1353
1353
* Any `"."` or `".."` segment with any encoded characters
1354
+
* Any `".."` segment preceeded by an empty segment
0 commit comments