HttpServletResponse.encodeURL not working for URLs starting with ../

[anca-jalbum]

Jetty version(s)
9.4.37 - 9.4.45

Java version/vendor
Java 1.8.0

OS type/version
Mac

Description
When doing HttpServletResponse.encodeURL("../foo/bar.jsp") when client has no session cookie so the URL should be rewritten as "../foo/bar.jsp;jsessionid=[sessionID]" the HttpURI.parse method responds with "Bad URI".

That is not a "Bad URI". Relative URLs with any number of ../ must be allowed.

How to reproduce?
Create a foo.jsp file in a foo-folder that just contains:
<%= response.encodeURL("../foo/bar.jsp") %>

Access the page http://[server]/foo/foo.jsp with a client that doesn't send cookies, or have no JSESSIONID cookie, like
curl http://[server]/foo/foo.jsp

This worked upto and including Jetty 9.4.36, but don't work with Jetty 9.4.37 and newer. So some update in 9.4.37 must have made this break.

I have 3rd party libraries that does this within servlets that I can't change, so it's a showstopper for me to upgrade to the latest version of Jetty.

[joakime]

I haven't replicated this yet, but this issue should also be impacting HttpServletResponse.encodeRedirectURL(String) as well. (similar code path).

[joakime]

I have been able to replicate easily with this test case...

d9c6414

The HttpURI is used within the encodeURL(String) method only to parse out various values.
But our HttpURI doesn't support relative path only Strings.

[joakime]

Opened PR #7616 with a fix.

[joakime]

Closing, Merged PR #7763

[gregw]

Reopening as not yet merged to 10, 11 & 12!