Why does Apache Tomcat handle encoded slashes (%2F) as path separators?

Question

Apache Tomcat (at least before Tomcat 6 ^{see footnote}) treats a percent-encoded slash (%2F) in a URI path just like a regular slash (i.e. as a path delimiter).

So e.g. the servlets example page of Tomcat can be accessed at

• http://localhost:8080/examples/servlets/ and at
• http://localhost:8080/examples%2Fservlets/

This does not make sense to me. The whole point of percent-encoding a reserved character like "/" is to avoid it being treated as a reserved character (in this case a path delimiter). In addition to this, this behaviour is (one) cause of the vulnerability CVE-2007-0450. However, I assume there must have been a reason for this.

• Is there any technical reason why Tomcat treats (ok, used to treat) %2F as a path delimiter?

• Is there some situation where this behaviour is helpful?

---

Footnote: I realize that due to CVE-2007-0450 Tomcat's default behaviour was changed to reject percent-encoded slashes in the path. However, if this check is disabled (ALLOW_ENCODED_SLASH), the old behavior remains.

Answer 1

It was related to when Tomcat was behind an httpd reverse proxy. In some circumstances the URI was partially encoded so the %2F handling was necessary to undo that encoding.

It create a number of security issues which were fixed around the same time CVE-2007-0450 was fixed. For background, look at the ForwardURIxxx options in the mod_jk docs: http://tomcat.apache.org/connectors-doc/reference/apache.html That covers a few cases where you still might want this feature (but because of the possible security issues I'd avoid it if at all possible).

The default behaviour is now httpd to pass the URI to Tomcat unchanged and for Tomcat to treated encoded characters as exactly that.