httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Please vote - how to handle AllowEncodedSlashes
Date Tue, 25 Jan 2011 23:12:05 GMT
On 1/24/2011 7:55 AM, Eric Covener wrote:
> On Mon, Jan 24, 2011 at 8:53 AM, Eric Covener <covener@gmail.com> wrote:
>>>  But it could only break people who
>>> have the non-default "AllowEncodedSlashes On" configured - I wonder how
>>> common that is?
>>
>> Pretty common question/answer for %2f in PATH_INFO or query string,
>> much much rarer as a FAQ for wanting either %2f to be used verbatim to
>> map a file or for it to be used as a / to map a directory.
>>
>> We may be affecting even the former group of folks if they've taught
>> their CGI/etc that the encoded slashes will be decoded.
> 
> Although I am admittedly just barely 51/49 over choice 3 and choice 4,
> so don't count this too strongly against any consensus for 4.

I believe we could and perhaps should treat query string parts separately
if we don't already.  The PATH_INFO folks should not be using %2F constructs
at all ("encoded slashes considered harmful") in the path-part.

In any case, my suggestion for "value" as a fourth-way forward should be
considered an enhancement after we've normalized the usual reject/accept
with decode/undecoded rule set.

Taking my idea of 0xee 0xbe 0xaf one step further, mod_proxy can further
be trained to re-encode this not as %ee%be%af, but as %2f :)


Mime
View raw message