DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36986>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36986
Summary: mod_rewrite special character codes %23, %26, %2F
problem
Product: Apache httpd-1.3
Version: HEAD
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: mod_rewrite
AssignedTo: bugs@httpd.apache.org
ReportedBy: web@saqibkadri.net
Mod_rewrite has problems with the special character codes %23, %26, and %2F (for
#, &, /) appearing in the request URL - the URL pattern being rewritten.
%23 and %26 seem to escape the rewrite (any substitution variables after
this point seem to be set to null). %2F causes the rewrite to break (404
error) in all examples I tested.
mod_rewrite seems to automatically decode the '%25' code. So these characters
can be passed on by replacing the '%' with '%25', and passing the characters
into the URL as %2523, %2526, and %252F.
However, this workaround causes the variable values to be treated differently
than if they were passed from the un-rewritten URL. E.g., given the RewriteRule:
RewriteRule ^test/(.*) test.php?testvar=$1
In the case of the pattern URL:
/test/apples%2526oranges
Versus a direct request to:
/test.php?testvar=apples%2526oranges
The variable testvar would have a value of & in the former, and %26 in the
latter. This inconsistency can be solved by regex substitutions in GET variables
in the script itself, but that doesnt seem like a transparent or robust solution.
Note that the [NE] flag is for the substitution side rather than the pattern
side, so that doesn't help here.
To me this seems to be a bug, as %23, %26 and %2F probably shouldn't be treated
any differently than other special character codes.
Also, I couldn't find the tendency of mod_rewrite to automatically decode '%25'
before rewriting (when it is followed by a two-character hexadecimal code) noted
anywhere in the documentation, and I think it should be. And this, too, can
cause problems. e.g., given the same RewriteRule above, requests to:
/test/sports%25fan
versus:
/test.php?testvar=sports%25fan
Result in different values of testvar: 'sportsϊn' versus 'sports%fan'.
I am unsure if this should be classified as a separate issue, but since both
issues are strongly related I am reporting them together.
Regards,
Saqib
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
|