httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: escape_uri bug fix never applied
Date Sun, 01 Dec 1996 14:41:07 GMT
Roy T. Fielding wrote:
> >> > What about os_escape_path()?
> >> 
> >> That one was already correct.
> > 
> > I'm glad to hear it. But unless I've gone bonkers it would seem to escape
> > different characters. Is this the way it should be?
> Probably not -- os_escape_path escapes more characters than escape_uri;
> the difference is in characters which do not need to be escaped, but
> can be if desired.  I prefer the minimalist approach, but I wasn't willing
> to change os_escape_path without knowing exactly how and why it is used.
> In other words, I couldn't figure out why we had two different escaping
> functions, and only one of them was incorrect.

OK. The main reasons were that path escaping was platform dependent, at least
in theory, and that escape_uri() was broken.

I'm not convinced that os_escape_path escapes a superset of escape_uri:

escape_uri escapes anything below 0x20, and "%&+<=>? where os_escape_path
escapes anything not in [A-Za-z0-9] unless it is one of $-_.+!*'(),:@&=/~

So, escape_uri escapes &, + and = whereas os_escape_path doesn't. escape_uri
also doesn't apply the "add ./ or : if the leading path segment contains a
:" rule.



Ben Laurie                Phone: +44 (181) 994 6435  Email:
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL:
A.L. Digital Ltd,         Apache Group member (
London, England.          Apache-SSL author

View raw message