Received: by taz.hyperreal.com (8.6.12/8.6.5) id WAA11663; Fri, 14 Jun 1996 22:23:51 -0700 Received: from arachnet.algroup.co.uk by taz.hyperreal.com (8.6.12/8.6.5) with SMTP id WAA11649; Fri, 14 Jun 1996 22:23:41 -0700 Received: from heap.ben.algroup.co.uk by arachnet.algroup.co.uk id aa23378; 15 Jun 96 6:23 BST Received: from gonzo.ben.algroup.co.uk by heap.ben.algroup.co.uk id aa15530; 15 Jun 96 5:45 BST Subject: Re: WWW Form Bug Report: "incorrect processing of percent-sign char encoding in URL" on SunOS 4.x To: new-httpd@hyperreal.com Date: Sat, 15 Jun 1996 05:41:02 +0100 (BST) From: Ben Laurie In-Reply-To: <199606142328.TAA23197@volterra.ai.mit.edu> from "Robert S. Thau" at Jun 14, 96 07:28:15 pm X-Mailer: ELM [version 2.4 PL24 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1550 Message-ID: <9606150541.aa15464@gonzo.ben.algroup.co.uk> Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com Robert S. Thau wrote: > > Thanks for the info. Sounds like you have a valid point. I'll > hand it over to our HTTP/CGI gurus to investigate. > > [Posted internally only, since I'm not sure what we want to tell these > guys...] > > My best guess as to the source of this behavior is that code which got > added to the server a ways back when for some reason Ben and David > spent quite a bit of time hashing out what constituted an illegal URL, > so we could reject it. An encoded slash will specifically cause that > code to bounce a request with a NOT_FOUND, even if it occurs in > PATH_INFO. (URLs with '%' signs which are not followed by two hex > digits get a BAD_REQUEST). See unescape_url in util.c. Erm. Actually, what we spent a long time debating was what needed _escaping_. Hence os_escape_path. This problem may be connected but what I did was not used to reject things. I think. Cheers, Ben. > > Accepting encoded slashes only in PATH_INFO is unfortunately not an > option, since unescape_url is invoked long before we can possibly know > where in the submitted URL the PATH_INFO *starts*. > > FWIW, this strikes me personally as being somewhat over-strict > (remember, "be liberal in what you accept"), but in this case, I'll > leave it to the judgment of the HTTP cop. > > rst -- Ben Laurie Phone: +44 (181) 994 6435 Freelance Consultant and Fax: +44 (181) 994 6472 Technical Director Email: ben@algroup.co.uk A.L. Digital Ltd, URL: http://www.algroup.co.uk London, England.