httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 35256] %2F will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes says no decoding will be done)
Date Tue, 09 Mar 2010 20:37:33 GMT

--- Comment #13 from Will Rowe <> 2010-03-09 20:37:30 UTC ---
My question is; what is adding the string %2f to the token?

If the string needs to be the Literal Text, e.g. a file names foo%2fbar, that
URL is only valid if the '%' is escaped by the client.

E.g. to retrieve /foo%2fbar - the string /foo%252fbar must be passed as the
request URI.  It isn't a question of accepting '%2F' but a question of passing
the percent as an encoded literal; refer to
section 2.4.2;

   Because the percent "%" character always has the reserved purpose of
   being the escape indicator, it must be escaped as "%25" in order to
   be used as data within a URI.  Implementers should be careful not to
   escape or unescape the same string more than once, since unescaping
   an already unescaped string might lead to misinterpreting a percent
   data character as another escaped character, or vice versa in the
   case of escaping an already escaped string.

The reason %2f or %5C are decrypted goes to this statement;

   In some cases, data that could be represented by an unreserved
   character may appear escaped; for example, some of the unreserved
   "mark" characters are automatically escaped by some systems.  If the
   given URI scheme defines a canonicalization algorithm, then
   unreserved characters may be unescaped according to that algorithm.
   For example, "%7e" is sometimes used instead of "~" in an http URL
   path, but the two are equivalent for an http URL.

The keyword here is 'equivalent'.  httpd cannot preserve the %2F text while
allowing safe reencoding/redecoding.

If the client is failing to escape '%' that is a client flaw; please mention
what the origin of this filename pattern is.  A form submission?

We concur the documentation is entirely broken and needs to be revisited.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message