httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: WWW Form Bug Report: "incorrect processing of percent-sign char encoding in URL" on SunOS 4.x
Date Sat, 15 Jun 1996 04:41:02 GMT
Robert S. Thau wrote:
>   Thanks for the info. Sounds like you have a valid point. I'll
>   hand it over to our HTTP/CGI gurus to investigate.
> [Posted internally only, since I'm not sure what we want to tell these
>  guys...]
> My best guess as to the source of this behavior is that code which got
> added to the server a ways back when for some reason Ben and David
> spent quite a bit of time hashing out what constituted an illegal URL,
> so we could reject it.  An encoded slash will specifically cause that
> code to bounce a request with a NOT_FOUND, even if it occurs in
> PATH_INFO.  (URLs with '%' signs which are not followed by two hex
> digits get a BAD_REQUEST).  See unescape_url in util.c.

Erm. Actually, what we spent a long time debating was what needed _escaping_.
Hence os_escape_path. This problem may be connected but what I did was not used
to reject things. I think.



> Accepting encoded slashes only in PATH_INFO is unfortunately not an
> option, since unescape_url is invoked long before we can possibly know
> where in the submitted URL the PATH_INFO *starts*.
> FWIW, this strikes me personally as being somewhat over-strict
> (remember, "be liberal in what you accept"), but in this case, I'll
> leave it to the judgment of the HTTP cop.
> rst

Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email:
A.L. Digital Ltd,           URL:
London, England.

View raw message