httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Broken URI-unescaping in mod_proxy
Date Sun, 09 Sep 2007 00:21:29 GMT
PR 41798 and many related ones (eg 39746, 38980 - both of which I've
closed today) show a history of incorrect URL-unescaping in mod_proxy.

For PR41798, the attached patch looks like a fix: it just uses
r->unparsed_uri (escaped) instead of r->uri (unescaped) in
proxy_trans.  I'm wondering if using unparsed_uri here risks
breaking something or has security implications we need to
consider, bearing in mind we already unescaped it and thus
verified it is well-formed.

Any thoughts?  Whoever wrote the comment about the existing logic
breaking RFC1945 presumably didn't see it as being that simple.

Nick Kew

Application Development with Apache - the Apache Modules Book

View raw message