httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50589] New: Tilde characters are ALWAYS escaped by mod_proxy in Apache 2.0.x
Date Sat, 15 Jan 2011 02:40:45 GMT

           Summary: Tilde characters are ALWAYS escaped by mod_proxy in
                    Apache 2.0.x
           Product: Apache httpd-2
           Version: 2.0.64
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: mod_proxy

I've been using Apache's mod_proxy module recently when I came across a bug.

Addresses of the form:

were being converted to

When the Zappos servers see a url with %7E in them it will respond
with an HTTP 301 Moved Permanently to the same url with a decoded ~.
Tshark dump follows:

Hypertext Transfer Protocol
   HTTP/1.1 301 Moved Permanently\r\n
       [Expert Info (Chat/Sequence): HTTP/1.1 301 Moved Permanently\r\n]
           [Message: HTTP/1.1 301 Moved Permanently\r\n]
           [Severity level: Chat]
           [Group: Sequence]
       Request Version: HTTP/1.1
       Response Code: 301
   Server: nginx/0.8.34\r\n
   Content-Type: text/html\r\n
   Content-Length: 185\r\n
       [Content length: 185]
   Location: /donald-j-pliner-womens-boots~2\r\n
   X-Core-Value: 6. Build Open and Honest Relationships With Communication\r\n
   X-Recruiting: If you're reading this, maybe you should be working
at Zappos instead.  Check out\r\n
   Vary: Accept-Encoding\r\n
   Date: Fri, 14 Jan 2011 00:33:56 GMT\r\n
   Connection: close\r\n
Line-based text data: text/html
   <head><title>301 Moved Permanently</title></head>\r\n
   <body bgcolor="white">\r\n
   <center><h1>301 Moved Permanently</h1></center>\r\n

Because mod_proxy will always escape ~ into %7E this will quickly lead
to an infinite redirect loop (luckily most applications will get the
hint quickly).

I dug into why this is and came up with the following message:

Digging further I even found a commit to the Apache 2.2 branch:

However, when I looked for a similar change in Apache 2.0.64 I notice
it was not present
line 137

I assume it just never got back-ported.

I went to file a bug on the Apache website, but it suggested I ping
this mailing list first (

While Zappos' redirection is non-standard, forcing the URLEncoding of
the tilde character is not in keeping with RFC 2396 which supersedes
RFC 1738 and specifically states:

2.3. Unreserved Characters

  Data characters that are allowed in a URI but do not have a reserved
  purpose are called unreserved.  These include upper and lower case
  letters, decimal digits, and a limited set of punctuation marks and

     unreserved  = alphanum | mark

     mark        = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"

  Unreserved characters can be escaped without changing the semantics
  of the URI, but this should not be done unless the URI is being used
  in a context that does not allow the unescaped character to appear.

There for, I would recommend a similar change to Apache 2.0.x's
proxy_util.c in keeping with Apache 2.2.x's revision 571436.

Specifically, line 137, which reads:

   allowed = "$-_.+!*'(),;:@&=";

should read:

   allowed = "~$-_.+!*'(),;:@&=";

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message