httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: Deficiency in mod_rewrite
Date Fri, 23 Mar 2001 21:18:11 GMT
Rodent of Unusual Size wrote:
> 
> I just realised that mod_rewrite has a fairly significant
> deficiency: since it uses '%' and '$' for its own purposes
> in signalling substitution, there does not appear to be any
> way to include these characters explicitly in the rewritten
> string.

The obvious first pass solution is to introduce the special
strings '%%' and '%$' (and '$%' and '$$') as forcing the
second character to be a literal.  No problem.. except that
the result of the rewrite is always passed through ap_escape_uri()
(aka ap_os_escape_path()), which leaves the '$' alone but
turns the '%' into '%25'.

The ways that I see out of this are either performance hogs
(such as replacing the literal '%' with a meta-string, escaping
the string, and then converting the meta-string back to '%')
or else potentially suspect (like turning off escaping if
'%%' was used).  The former sucks wind, and the latter would
let illegal characters through if they were in the rewritten
string.

Of course, mod_rewrite already has a means of reversing the
escaping.. if you use a rewrite map, which is certainly more
complicated than this needs to be.

I see three options here:

1. Leave it alone and document it as a deficiency ('you cannot have
   escapes in rewritten URLs').
2. Jump through the necessary hoops to find an appropriate
   replacement character that will make it through the call
   to ap_escape_uri(), and then replace that with '%' after
   escaping.
3. Disable escaping (and log the fact in the rewritelog) if the
   rewrite string contains '%%' or '$%'.

I think #1 is right out; I would like to fix this.  I personally
would like to do #2, but it is not as simple as #3, which is
definitely the quick&dirty solution.

Any other opinions or options I am missing?
-- 
#ken    P-)}

Ken Coar                    <http://Golux.Com/coar/>
Apache Software Foundation  <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
"Apache Server Unleashed"   <http://ApacheUnleashed.Com/>

ApacheCon 2001!
Four tracks with over 70+ sessions. Free admission to exhibits
and special events - keynote presentations by John 'maddog' Hall
and David Brin. Special thanks to our Platinum Sponsors IBM and
Covalent, Gold Sponsor Thawte, and Silver Sponsor Compaq.  Attend
the only Apache event designed and fully supported by the members of
the ASF. See more information and register at <http://ApacheCon.Com/>!

Mime
View raw message