httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] Strange character escaping in query string parameter
Date Thu, 14 Nov 2002 22:13:19 GMT

On Thu, 14 Nov 2002, Volker L├╝deling wrote:
> <-- begin output -->
> Query-String:
> HTML=basket/vs_framebasket.htm&ID=huToQNKozM5CoF0i.0.1037303713
> Query-Param :
> HTML=basket/vs_framebasket.htm\&ID=huToQNKozM5CoF0i.0.1037303713
> <-- end output -->
> In Query-Param, the Ampersand character was replaced by "\&", while
> Query-String remains unchanged. I verified that behaviour on two independent
> systems, so I'm sure that Apache is responsible.
> Does anyone know if this is intended behaviour, or if there is a way to
> disable this "feature"?
> Changing the shop scripts is not an option, since they are binaries and we
> don't have access to the source code.

I seem to remember some change made to the apache source code
in relation to this.  Something about this vulnerability I think:
but I can't track down the exact change.

In general, using the argv is not a good idea, but that doesn't help you
with your problem.

Sorry I don't remember any more details.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message