httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: escape_uri bug fix never applied
Date Sun, 01 Dec 1996 14:41:07 GMT
Roy T. Fielding wrote:
> 
> >> > What about os_escape_path()?
> >> 
> >> That one was already correct.
> > 
> > I'm glad to hear it. But unless I've gone bonkers it would seem to escape
> > different characters. Is this the way it should be?
> 
> Probably not -- os_escape_path escapes more characters than escape_uri;
> the difference is in characters which do not need to be escaped, but
> can be if desired.  I prefer the minimalist approach, but I wasn't willing
> to change os_escape_path without knowing exactly how and why it is used.
> In other words, I couldn't figure out why we had two different escaping
> functions, and only one of them was incorrect.

OK. The main reasons were that path escaping was platform dependent, at least
in theory, and that escape_uri() was broken.

I'm not convinced that os_escape_path escapes a superset of escape_uri:

escape_uri escapes anything below 0x20, and "%&+<=>? where os_escape_path
escapes anything not in [A-Za-z0-9] unless it is one of $-_.+!*'(),:@&=/~

So, escape_uri escapes &, + and = whereas os_escape_path doesn't. escape_uri
also doesn't apply the "add ./ or : if the leading path segment contains a
:" rule.

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message