Bug 66393 - ExtendedAccessLogValve's x-P(XXX) does not correspond to the documentation
Summary: ExtendedAccessLogValve's x-P(XXX) does not correspond to the documentation
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.84
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2022-12-15 21:45 UTC by Michael Osipov
Modified: 2022-12-20 10:23 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2022-12-15 21:45:05 UTC
This [1] resource says:
x-P(XXX) for the URL encoded (using UTF-8) request parameter with name XXX
But the code [2] does:
>             try {
>                 return URLEncoder.encode(value, "UTF-8");
>             } catch (UnsupportedEncodingException e) {
>                 // Should never happen - all JVMs are required to support UTF-8
>                 return null;
>             }
>         }

This is java.net.URLEncoder. We all know that this class is deceiving because it actually implements form encoding (Javadoc: Utility class for HTML form encoding. This class contains static methods for converting a String to the application/x-www-form-urlencoded MIME format.) and not URL/URI encoding which produces different results. Tomcat includes a decent URLEcoder class, maybe this one should rather be used, no?

Note: I haven't verified with other Tomcat versions, but I guess they have the same problem.

[1] https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Extended_Access_Log_Valve/Attributes
[2] https://github.com/apache/tomcat/blob/cf2015c1350a3f057182dd4c26c20f68df8b3400/java/org/apache/catalina/valves/ExtendedAccessLogValve.java#L412-L418
Comment 1 Han Li 2022-12-20 10:23:39 UTC
Fixed in:
- 11.0.x for 11.0.0-M2 onwards
- 10.1.x for 10.1.5 onwards
- 9.0.x for 9.0.71 onwards
- 8.5.x for 8.5.85 onwards