1) my priority is not static content, so I don't really care about the default servlet ( though I would encourage you to think about it ). Though I would really add a unit test or two trying to reference files with funky names.. like %2F, etc etc.. how many times are those encoded or not or what?..
2) I am using the web framework Tapestry. One of the nice benefits of that is that it supports passing parameters to a page using pretty urls.. for example:
Would call the appropriate page with the parameters ("param1", "param2"). Thus we get pretty urls. Internally Tapestry works as a filter, getting getServletPath, then cutting it up by "/" and determining the proper page and proper parameters. So what getServletPath returns is very important.
Now the case I'm trying to protect against is to send a rather ugly parameter through that pretty url.. specifically "/fbracket". Tapestry of course does a UrlEncode on those parameters before it constructs the expected url:
So that works just fine. On the way back, it then calls request.getServletPath and expects the same url, so that it can reconstitute the page parameters:
BUT Jetty seems to be doing a multiple decode or it also decodes the path part of the url, thus scrubbing the %2F from the url part. Tomcat does not do this.
So my argument is that the server should be decoding the query string parameter names/values (after being split by &,=).. but should not be decoding the path part of the url. Or there might be confusion as to how many times the url should or should not be encoded/decoded to represent a particular resource..
Sound reasonable? I guess you haven't ran into this before.. what do you think the behavior should be? It really should be consistent across servers no matter what..