Infrastructure

Is this documented? SInce it requires specific configuration of Tomcat and not something we can control in Metacat code, it makes it very difficult for us to guarantee that this test will pass for all deployments of Metacat that we do not have control over. I reconfigured my local Tomcat and was able to use backslashes.

See: http://tomcat.apache.org/security-6.html
The pertinent details form that page:

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.
Affects: 6.0.0-6.0.9

Added to Metacat documentation.
Verified that it is in the cn-buildout.
Set the options on DEMO1-4