Mantis - Resin
Viewing Issue Advanced Details
2266 minor always 12-19-07 05:38 02-13-08 16:01
closed 3.0.21  
none 3.1.5  
0002266: Resin returns status 400 The request contains an illegal URL. without logging
When the request path includes two or more dots the requet is rejected. [^]

As the path includes dynamic information from the user the application is not able to return a proper error message due to the fact that the request never reaches the application.

Even if the .. is url encoded as %2E%2E the request is rejected.

As I read the specs. (primarily RFC 2396) the .. should not be changed for absolute urls and defenitely not in url encoded form.

Running the application on Apache Tomcat deliver the request to the application and returns a proper error page to the user.

No loggin is made in the access log in the above case.

01-02-08 10:38   
This is unlikely to be changed for security reasons. There are too many security breaches based on ".." to open this up just for the sake of better error messages. The application should be redesigned so ".." are not generated as URLs.
02-13-08 16:01   
server/02e4 - logging change