httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 35256] %2F will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes says no decoding will be done)
Date Wed, 10 Mar 2010 08:42:23 GMT

--- Comment #14 from Daniel Koke <> 2010-03-10 08:42:20 UTC ---
I understand your hint to the rfc2396 but with the
AllowEncodedSlashes-directive i can change that behaviour:
"Allowing encoded slashes does not imply decoding. Occurrences of %2F or %5C
(only on according systems) will be left as such in the otherwise decoded URL


Now i want to add a path variable:
-> url is called

The variable_content will be encoded by the system. If the variable_content
contains a path e.g. "foo/bar" it will be encoded to "foo%2fbar" and added to
the url:
-> url is called !!!!

I interpret the directive AllowEncodedSlashes to force my wanted behaviour. The
%2f should not be decoded (like the docu says) and the called url should be

(In reply to comment #13)
> My question is; what is adding the string %2f to the token?
> If the string needs to be the Literal Text, e.g. a file names foo%2fbar, that
> URL is only valid if the '%' is escaped by the client.
> E.g. to retrieve /foo%2fbar - the string /foo%252fbar must be passed as the
> request URI.  It isn't a question of accepting '%2F' but a question of passing
> the percent as an encoded literal; refer to
> section 2.4.2;
>    Because the percent "%" character always has the reserved purpose of
>    being the escape indicator, it must be escaped as "%25" in order to
>    be used as data within a URI.  Implementers should be careful not to
>    escape or unescape the same string more than once, since unescaping
>    an already unescaped string might lead to misinterpreting a percent
>    data character as another escaped character, or vice versa in the
>    case of escaping an already escaped string.
> The reason %2f or %5C are decrypted goes to this statement;
>    In some cases, data that could be represented by an unreserved
>    character may appear escaped; for example, some of the unreserved
>    "mark" characters are automatically escaped by some systems.  If the
>    given URI scheme defines a canonicalization algorithm, then
>    unreserved characters may be unescaped according to that algorithm.
>    For example, "%7e" is sometimes used instead of "~" in an http URL
>    path, but the two are equivalent for an http URL.
> The keyword here is 'equivalent'.  httpd cannot preserve the %2F text while
> allowing safe reencoding/redecoding.
> If the client is failing to escape '%' that is a client flaw; please mention
> what the origin of this filename pattern is.  A form submission?
> We concur the documentation is entirely broken and needs to be revisited.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message