httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: question on % escaping
Date Tue, 14 Jan 1997 06:09:26 GMT
On Mon, 13 Jan 1997, Alexei Kosut wrote:

> On Mon, 13 Jan 1997, Marc Slemko wrote:
> 
> > If I do a "GET %2f HTTP/1.0" should it work?
> 
> Nope. unescape_url() rejects any URL with %2f (or %00) in it. This is
> a security feature, obviously, but people complain sometimes that it
> worked in NCSA httpd.
> 
> It would work anyway: Since unescape_url is called before
> getparents(), %2f would be treated exactly like / is. But we reject it
> anyway.

But doesn't the RFC require them to be handled?  Which one?  Errm... 2068?
Ahh.  Tricky.  Looks like it doesn't.

   Characters other than those in the "reserved" and "unsafe" sets (see
   section 3.2) are equivalent to their ""%" HEX HEX" encodings.

And reserved and unsafe are:

          reserved       = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+"
          unsafe         = CTL | SP | <"> | "#" | "%" | "<" | ">"

Ok, no problems.

Hmm, perhaps we should implement the below error code sometime?  It would
give people trying to break Apache with long URLs a happy (or sad) feeling
when they get an error instead of having it silently truncated like (I
think) happens now.

5.1.2

   The HTTP protocol does not place any a priori limit on the length of
   a URI. Servers MUST be able to handle the URI of any resource they
   serve, and SHOULD be able to handle URIs of unbounded length if they
   provide GET-based forms that could generate such URIs. A server
   SHOULD return 414 (Request-URI Too Long) status if a URI is longer
   than the server can handle (see section 10.4.15).


   Characters other than those in the "reserved" and "unsafe" sets (see
   section 3.2) are equivalent to their ""%" HEX HEX" encodings.



Mime
View raw message