Mantis - Resin
Viewing Issue Advanced Details
6212 minor always 01-27-19 05:53 01-31-19 13:43
stbu  
ferg  
normal  
closed 4.0.59  
fixed  
none    
none 4.0.60  
0006212: FileServlet must not use HTML escaped URL in Location header of sendRedirect
This change in com.caucho.servlets.FileServlet.java around line 531 is breaking some things:

526c531
< res.setHeader("Location", encUrl);
---
> res.setHeader("Location", htmlUrl);


Using an HTML escaped URL in the HTTP Location header will break things for an index.jsp behind in a directory.
Just consider this kind of web-app structure:

web-app-root/
            test/
                 index.jsp

And imagine the content of index.jsp is this:
<h1>Parameter p1=yes ? <%= "yes".equals(request.getParameter("p1"))%></h1>
<h1>Parameter p2=yes ? <%= "yes".equals(request.getParameter("p2"))%></h1>


With Resin before 4.0.59 such as 4.0.57 perform a request is correctly treated like this:
curl -L -i 'http://localhost/test?p1=yes&p2=yes' [^]

HTTP/1.1 301 Moved Permanently
Server: Resin/4.0.57
Cache-Control: private
Location: http://localhost/test/?p1=yes&p2=yes [^]
Content-Type: text/html; charset=utf-8
Content-Length: 82
Date: Sun, 27 Jan 2019 13:22:18 GMT

HTTP/1.1 200 OK
Server: Resin/4.0.57
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 66
Date: Sun, 27 Jan 2019 13:22:24 GMT

<h1>Parameter p1=yes ? true</h1>
<h1>Parameter p2=yes ? true</h1>

=> Result:
Since the request is performed against the directory /test without a trailing slash, the File Servlet will kick in and perform a sendRedirect.
The Location header used in this 301 Redirect is correct and the ?p1=yes and &p2=yes will arrive correctly at the /test/index.jsp



But with 4.0.59 the same request will have a changed output:
curl -L -i 'http://localhost/test?p1=yes&p2=yes' [^]

HTTP/1.1 301 Moved Permanently
Server: Resin/4.0.59
Cache-Control: private
Location: http://localhost/test/?p1=yes&amp;p2=yes [^]
Content-Type: text/html; charset=utf-8
Content-Length: 86
Date: Sun, 27 Jan 2019 13:20:41 GMT

HTTP/1.1 200 OK
Server: Resin/4.0.59
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 67
Date: Sun, 27 Jan 2019 13:20:41 GMT

<h1>Parameter p1=yes ? true</h1>
<h1>Parameter p2=yes ? false</h1>


=> Result:
The Location header in the 301 redirect is now HTML escaped and the &p2=yes was changed to &amp;p2=yes
The index.jsp asking for Parameter "p2" will not anymore get the value "yes".


Notes
(0006868)
ferg   
01-31-19 13:43   
server/001x