httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@apache.org>
Subject Re: workaround for encoded slashes (%2f)
Date Wed, 30 Oct 2002 20:52:32 GMT
Your patch will simply let the %2F through, but then a later section
of code will translate them to / and we've opened a security hole
in the main server.  I'd rather move the rejection code to the
place where a decision has to be made (like the directory walk),
but I have no time to do it myself.  I think it is reasonable to
allow %2F under some circumstances, but only in content handlers
and only as part of path-info and not within the real directory
structure.

....Roy


Mime
View raw message