Affects Version/s: 6.0.12 EE, 6.1.30 EE GA3, 6.1.X EE, 6.2.0 CE GA1, 6.2.X EE
Component/s: Core Infrastructure
According to the servlet spec section 6.2.4:
When processing a <filter-mapping> element using the <url-pattern> style, the container must determine whether the <url-pattern> matches the request URI using the path mapping rules defined in Chapter 12, "Mapping Requests to Servlets"...
The path used for mapping to a servlet is the request URL from the request object minus the context path and the path parameters...
And then you pair that with the RFC for URI (RFC 2396) section 3.3:
The path component contains data, specific to the authority (or the
scheme if there is no authority component), identifying the resource
within the scope of that scheme and authority.
path = [ abs_path | opaque_part ]
path_segments = segment *( "/" segment )
segment = *pchar *( ";" param )
param = *pchar
pchar = unreserved | escaped |
":" | "@" | "&" | "=" | "+" | "$" | ","
The path may consist of a sequence of path segments separated by a
single slash "/" character. Within a path segment, the characters
"/", ";", "=", and "?" are reserved. Each path segment may include a
sequence of parameters, indicated by the semicolon ";" character.
The parameters are not significant to the parsing of relative
It means that we need to strip any path parameter off of any segment of the path before comparing the remaining path against the <url-pattern>.