httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Strange character escaping in query string parameter
Date Thu, 14 Nov 2002 22:13:19 GMT

On Thu, 14 Nov 2002, Volker L├╝deling wrote:
> <-- begin output -->
>
> Query-String:
> HTML=basket/vs_framebasket.htm&ID=huToQNKozM5CoF0i.0.1037303713
> Query-Param :
> HTML=basket/vs_framebasket.htm\&ID=huToQNKozM5CoF0i.0.1037303713
>
> <-- end output -->
>
> In Query-Param, the Ampersand character was replaced by "\&", while
> Query-String remains unchanged. I verified that behaviour on two independent
> systems, so I'm sure that Apache is responsible.
>
> Does anyone know if this is intended behaviour, or if there is a way to
> disable this "feature"?
>
> Changing the shop scripts is not an option, since they are binaries and we
> don't have access to the source code.

I seem to remember some change made to the apache source code
in relation to this.  Something about this vulnerability I think:
http://httpd.apache.org/info/security_bulletin_20020809a.txt
but I can't track down the exact change.

In general, using the argv is not a good idea, but that doesn't help you
with your problem.

Sorry I don't remember any more details.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message