Received: by taz.hyperreal.com (8.8.4/V2.0) id IAA21318; Fri, 7 Mar 1997 08:56:34 -0800 (PST) Received: from paris.ics.uci.edu by taz.hyperreal.com (8.8.4/V2.0) with SMTP id IAA21308; Fri, 7 Mar 1997 08:56:27 -0800 (PST) Received: from kiwi.ics.uci.edu by paris.ics.uci.edu id aa08347; 7 Mar 97 8:54 PST To: richter@ecos.de cc: new-httpd@hyperreal.com Subject: Re: [BUG]: "unescape_url don't convert '+' to blank" on Linux (fwd) In-reply-to: Your message of "Tue, 25 Feb 1997 14:24:46 EST." <199702251924.OAA12113@luers.qosina.com> Date: Fri, 07 Mar 1997 08:54:30 -0800 From: "Roy T. Fielding" Message-ID: <9703070854.aa08347@paris.ics.uci.edu> Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com >> From nobody@hyperreal.com Tue Feb 25 14:23:58 1997 >> Message-Id: <199702251924.LAA02629@taz.hyperreal.com> >> From: richter@ecos.de >> To: awm@qosina.com >> Date: Tue Feb 25 11:24:10 1997 >> Subject: [BUG]: "unescape_url don't convert '+' to blank" on Linux >> >> Submitter: richter@ecos.de >> Operating system: Linux, version: 2.0.26 >> Version of Apache Used: 1.2b7 >> Extra Modules used: mod_perl >> URL exhibiting problem: >> >> Symptoms: >> -- >> unescape_url don't convert the plus sign to blank. This makes trouble when u >sing it to unescape form contents, which may contain blanks. The following pat >ch to util.c should fix the problem: >> >> --- util.c.orig Tue Feb 25 13:17:58 1997 >> +++ util.c Tue Feb 25 15:33:46 1997 >> @@ -744,7 +744,8 @@ >> badesc = 0; >> badpath = 0; >> for(x=0,y=0;url[y];++x,++y) { >> - if (url[y] != '%') url[x] = url[y]; >> + if (url[y] == '+') url[x] = ' '; >> + else if (url[y] != '%') url[x] = url[y]; >> else >> { >> if (!isxdigit(url[y+1]) || !isxdigit(url[y+2])) >> That patch will cause your server to fail on any file/directory name that contains a "+" (a perfectly legal filename character on Unix). unescape_url is not intended to unescape the query info part of a URL, and the CGI is capable of doing that on its own anyway. .....Roy [that's a big -1, dudes]