httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Please vote - how to handle AllowEncodedSlashes
Date Wed, 26 Jan 2011 15:52:05 GMT
 

> -----Original Message-----
> From: Dan Poirier [mailto:poirier@pobox.com] 
> Sent: Mittwoch, 26. Januar 2011 16:35
> To: dev@httpd.apache.org
> Subject: Re: Please vote - how to handle AllowEncodedSlashes
> 
> On 01/21/2011 01:20 PM, Dan Poirier wrote:
> > Can we take an informal vote on how best to handle 
> AllowEncodedSlashes?
> >
> > At present, AllowEncodedSlashes Off (the default) results 
> in any request
> > containing an encoded slash, %2F, being rejected with a 404.
> >
> > In 2.0 and trunk, AllowEncodedSlashes On allows the encoded 
> slash, but
> > does not decode it.  This keeps httpd from misinterpreting 
> an encoded
> > slash in a request as a path separator.  I believe this was always
> > the intended behavior.
> >
> > In 2.2, AllowEncodedSlashes On allows the encoded slash, 
> and decodes it.
> > This has caused problems for multiple people (see bugzilla, e.g. PR
> > 35256), but has been the behavior since 2.2.0 (introduced in
> > 2.1.something, I believe unintentionally).
> 
> One correction for the record - 2.0 behaves like 2.2.  I doubt it's 
> worth fixing, though.
> 
> 

But this changes a lot. If 2.0 is like 2.2 then nothing breaks for people
moving from 2.0 to 2.2. So we should fix in trunk and set it to a sane default
(whatever this is, see discussion in the thread) and the backport to 2.2 should
preserve the current behaviour and just offer an option to enable the trunk default.


Regards

Rüdiger

Mime
View raw message