httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35256] %2F will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes says no decoding will be done)
Date Wed, 10 Mar 2010 08:42:23 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=35256

--- Comment #14 from Daniel Koke <daniel.koke@iconparc.de> 2010-03-10 08:42:20 UTC ---
I understand your hint to the rfc2396 but with the
AllowEncodedSlashes-directive i can change that behaviour:
"Allowing encoded slashes does not imply decoding. Occurrences of %2F or %5C
(only on according systems) will be left as such in the otherwise decoded URL
string"
(http://httpd.apache.org/docs/2.2/en/mod/core.html#allowencodedslashes) 

e.g.
www.myurl.de/test/test.html

Now i want to add a path variable:
www.myurl.de/test/var=variable_content/test.html
-> url www.myurl.de/test/test.html is called

The variable_content will be encoded by the system. If the variable_content
contains a path e.g. "foo/bar" it will be encoded to "foo%2fbar" and added to
the url:
www.myurl.de/test/var=foo%2fbar/test.html
-> url www.myurl.de/test/bar/test.html is called !!!!

I interpret the directive AllowEncodedSlashes to force my wanted behaviour. The
%2f should not be decoded (like the docu says) and the called url should be
www.myurl.de/test/test.html


(In reply to comment #13)
> My question is; what is adding the string %2f to the token?
> If the string needs to be the Literal Text, e.g. a file names foo%2fbar, that
> URL is only valid if the '%' is escaped by the client.
> E.g. to retrieve /foo%2fbar - the string /foo%252fbar must be passed as the
> request URI.  It isn't a question of accepting '%2F' but a question of passing
> the percent as an encoded literal; refer to http://tools.ietf.org/html/rfc2396
> section 2.4.2;
>    Because the percent "%" character always has the reserved purpose of
>    being the escape indicator, it must be escaped as "%25" in order to
>    be used as data within a URI.  Implementers should be careful not to
>    escape or unescape the same string more than once, since unescaping
>    an already unescaped string might lead to misinterpreting a percent
>    data character as another escaped character, or vice versa in the
>    case of escaping an already escaped string.
> The reason %2f or %5C are decrypted goes to this statement;
>    In some cases, data that could be represented by an unreserved
>    character may appear escaped; for example, some of the unreserved
>    "mark" characters are automatically escaped by some systems.  If the
>    given URI scheme defines a canonicalization algorithm, then
>    unreserved characters may be unescaped according to that algorithm.
>    For example, "%7e" is sometimes used instead of "~" in an http URL
>    path, but the two are equivalent for an http URL.
> The keyword here is 'equivalent'.  httpd cannot preserve the %2F text while
> allowing safe reencoding/redecoding.
> If the client is failing to escape '%' that is a client flaw; please mention
> what the origin of this filename pattern is.  A form submission?
> We concur the documentation is entirely broken and needs to be revisited.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message