Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 9602 invoked by uid 500); 1 Nov 2002 17:59:48 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 9567 invoked from network); 1 Nov 2002 17:59:48 -0000 Message-ID: <3DC2C117.C5189C11@Golux.Com> Date: Fri, 01 Nov 2002 12:59:51 -0500 From: Rodent of Unusual Size Organization: The Apache Software Foundation X-Mailer: Mozilla 4.79 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: workaround for encoded slashes (%2f) References: <83100D46-EC49-11D6-B519-000393753936@apache.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N "Roy T. Fielding" wrote: > > Your patch will simply let the %2F through, but then a later section > of code will translate them to / and we've opened a security hole > in the main server. I'd rather move the rejection code to the > place where a decision has to be made (like the directory walk), > but I have no time to do it myself. I think it is reasonable to > allow %2F under some circumstances, but only in content handlers > and only as part of path-info and not within the real directory > structure. is this a veto? because i'd like to understand how this 'opens a security hole' available to client-side exploitation without server-side deficiencies (such as a poorly-coded cgi script). if there is none, i don't see why this cannot go in as a starting point.