httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
Date Mon, 24 Nov 1997 09:33:05 GMT
On Sun, 23 Nov 1997, Roy T. Fielding wrote:

> >LocationMatch/Location do collapse double slashes, but I consider this to
> >be a bug.  They are documented to work in the URI space, not in the
> >filespace. 
> Yep, that's a bug.  Dean's analysis matches what I would have said.
> >RFC1738, RFC1808, and Roy's new draft appear silent on the issue. 
> "/" never equals "//".  The only reason we collapse them for matches
> against Directory sections is security within the filesystem mapping.
> If the string is modified, the result should be a redirect or rejection.
> A "//" is meaningful for all resource namespaces not aligned with the
> filesystem, and that's the case for what mod_rewrite is doing.

I am too getting a bit worried about all this. Filespace and URI space
most certainly are not a bi-jection, should not be, and will most likely
never be. Lets please, please be very carefull; when passing and handling
URI's (and partial URI's) for cgi, include, rewrite, i.e. anywhere where
it is not the final (injection) transformation to a file, it should be
considered quite opaque. Including even the '#' and '?' :-)


View raw message