httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Poirier <poir...@pobox.com>
Subject Re: Please vote - how to handle AllowEncodedSlashes
Date Mon, 07 Feb 2011 17:46:40 GMT
I checked and the server accepts encoded slashes in query strings,
regardless of AllowEncodedSlashes.  So we're only concerned here with
path info.

Right now in trunk, the default is to not accept encoded slashes, and if
you turn AllowEncodedSlashes on, they are not decoded.  This seems safe
and matches the documentation, so I don't think trunk needs to be
changed (unless somebody really needs the 2.x behavior, in which case
they could add an option for that, but I don't need that.)

In 2.2, the default is to not accept encoded slashes, but if you turn
AllowEncodedSlashes On, they are decoded.  This is contrary to the
documentation and the trunk behavior, and seems potentially unsafe.  But
just changing to the trunk behavior could break users when they upgrade
between 2.2 releases, so I think the best compromise for 2.2 is to add
a new option to accept the slashes without decoding them.  I have a
patch to do that and I'll propose it in 2.2 STATUS for the usual vote.

For 2.0, I think backporting whatever is done in 2.2 can be proposed in
the usual way if anyone wants it, so we don't need to discuss that here.

Thanks for everyone's input on this.

Dan

Mime
View raw message