httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: Yet another URL-encoding bug
Date Fri, 20 Oct 1995 17:17:00 GMT
Date: Fri, 13 Oct 1995 17:49:01 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
>> Yet another URL-encoding bug:
>> Redirect /wibble/ http://aserver/dir/
>> 
>> accessing http://myserver/wibble/heelo%25.html
>> generates a redirect to the Location: http://aserver/dir/heelo%.html
>> 
>> mod_alias.c was not re-escaping the incoming URL for the redirect.
>> 
>> I've uploaded 26_redirect2.0.8.14.patch to hyperreal.com in the
>> for_Apache_0.8.14 directory (for the lack of a better place).
>> This patch calls escape_uri to fix the problem.
>> 
>> I would rather use os_escape_path() to escape the URI, but unfortunately,
>> would break on requests with a ':' - e.g.
>> http://myserver/wibble/hello:.html would return a Location: of
>> http://aserver/dir/./hello:.html
>> 
>> My preferred solution would be to change os_escape_path() so that it escapes
>> ':' - that way it can be called on both relative and absolute paths.
>> I think that is much neater than having two routines.
>
>Well, there are (at least) two answers to this. Answer one is to escape the
>new path _after_ you have assembled the parts (not strictly correct, I'll
>agree).

Then I'd have to decode the part the user provided so that it could be
re-escaped properly...

>Answer two is that a ./ is _removed_ anyway (see RFC 1808), so
>can't affect the path.

Actually not in this context; the client gets a complete URL, so it shouldn't
do any ./removal.

>Answer three (probably the best) is to tell
>os_escape_path whether the path is absolute or relative, by prepending a '/',
>i.e. you pass it "/hello:.html" to escape, then it doesn't put the ./ in.

Yuk yuk yuk.  'alloc new copy of string with leading /; call routine,
remove leading /'

Encoding ':' would break nothing.

 David.

Mime
View raw message