Mark Thomas

Closing as a duplicate of #244

Now the CVE background to these Tomcat changes is public, some feedback on https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 would be helpful. The more input the Tomcat team has on that issue, the better decision...

Some follow-up. The definition of Java identifier uses `Java Letter`and `Java Digit` which are broader than `Character.isLetter()` and `Character.isDigit()`. I think the JavaCC grammar means `Java Letter`and `Java Digit` where...

A complicating factor is that different versions of Java have a different view of what is and is not a Java Letter or a Java Digit. That means the definition...

For the record, Tomcat has been updated to use the definition for identifier for the minimum version of Java the EL spec targets. My reasoning was that avoided interoperability issues...

An additional point requiring clarification is that RFC 3986 (section 2.2) states that %nn encoded reserved characters are not equivalent to their decoded forms. i.e. "/foo/bar/" and "/foo%2Fbar" are not...

I'd love to see us make some progress on this in the next iteration of the Servlet spec. There are a lot of edge cases and interdependencies between edge cases...

Wiki page has been created. I think the first thing to tackle is path parameters. https://github.com/eclipse-ee4j/servlet-api/wiki/HTTP-URIs-and-Servlet-API-methods

Agreed wholeheartedly re security issues. It is also important we clarify these ambiguities and get consistent behaviour between containers because inconsistent behaviour between containers can also be a source of...

I agree that `path` in `ServletContext.getResource(String path)` should be consistent with the values returned for `getServletPath()` and `getPathInfo()`. As I have got my head around the evolution of path parameters...