httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: # in file names...
Date Wed, 04 Oct 1995 11:08:00 GMT
> > I missed off / from the list of acceptable characters, BTW.
> > Remove & from the list if you like; but don't document this routine as
> > somehow being a 'general URI encoding routine'.
> 
> OK, I've read the RFC a bit more carefully (blush). I see where you got your
> list from, and I agree with the list, or at least this version of it:
> 
> A-Za-z0-9$-_.+!*'(),:@&=
> 
> However, we should either escape : or put ./ on the front (one less
> character).

Escaping : may be more broswer-safe, and it's a change local to a segment
instead of global to the path.

> I would suggest that the routine should be called escape_rfc1808_segment,
> which makes it pretty clear what it is doing (at least to anyone with RFC1808
> to hand). If everyone (who cares) is happy with this, I'll redo the patch,
> again. Note that the routine _will_ escape /, to escape a path with
> directories in, each segment will have to be individually escaped (I suggest
> this method for better OS independence. / cannot appear in a filename under
> Unix, but it certainly can on a Mac, and probably also on Win95). This will
> not be a problem with the current use of the routine.

Oerr, Apache on the Mac!

If you write escape_rfc1808_segment (or escape_path_segment as I would call it,
with a reference to rfc1808 in the comments) then you will also need an
escape_rfc1808_path (or escape_path) which splits up a path into
segments, escapes each segment, and concatenates the segments again.
For Apache at present this is, of course, equivalent to escape_rfc1808_segment,
but allowing '/' unescaped.

The call to escape_uri in mod_dir.c will become a call to
escape_rfc1808_segment, and the other calls will become calls to
escape_rfc1808_path. Of course, under UNIX mod_dir.c could equally well
call escape_rfc1808_path.

Note that it will take a significant amount of change to apache to work with
an OS that allows '/' in filenames, as it already uses / for the segment
separator. And does MacOS allow NULL characters in filenames?

Also, the current CGI spec does not support / in path segments;
for the URL http://host/cgi-bin/script/extra%2fdata
the extra path segment cannot be passed to the script, as it would be
decoded beforehand.

 David.

Mime
View raw message