apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: moving gen_test_char from server/ to apr-util/
Date Tue, 19 Mar 2002 20:48:03 GMT
On Tue, Mar 19, 2002 at 08:41:11PM +0100, Sander Striker wrote:
> > From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> > Sent: 19 April 2002 20:31
> 
> > At 01:56 PM 3/19/2002, you wrote:
> > >any objections ?
> > >if we do this we can move some other functions which are generic into 
> > >apr-util.

+1

> > >ap_escape_os_path for example
> > 
> > That example should move to apr (associated with apr_proc_create),
> > not apr-util.  Other uses of gen_test_char should move to apr-util [the
> > many escape patterns of http, rfc822 encoding, etc.]

There should never be a need to escape an OS path, which would obviate any
need to move to APR. If we need to escape an OS path, then that means we're
leaking an OS path (i.e. security issue).

About the only place that I can think an OS path would be leaked is in
mod_info or somesuch. But even then, that would be *HTML* escape, not URI
escaping. And those are entirely different.

> Well, the function I'd really like to move is ap_escape_uri.  That
> is simply a macro that calls ap_escape_os_path.

And that macro is *WRONG*. Operating system paths are not the same as URI
paths, and there should be two separate functions to do the escaping.

As a matter of fact, there have been observed problems with the incorrect
URI escaping because of that macro overlay.

> It would be nice if we could have all the uri manipulation stuff
> in apr-util.

I absolutely agree.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Mime
View raw message