httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] AllowEncodedSlashes puzzle
Date Fri, 22 Oct 2004 18:02:10 GMT
On Fri, 22 Oct 2004 10:13:01 -0700, Kenneth Porter
<> wrote:
> I've got a brain-dead client issuing this request:
> "GET /MISC%2ftvredirect%2fMP%2dDangerousCrossingBeta2%2etvm%2euz2 HTTP/1.1"
> As you can see, it's erroneously URL-encoding slashes. (Along with any
> other punctuation.)
> I've got AllowEncodedSlashes On, but I'm still getting back my custom 404
> document (which returns a 302 to the site's home page).

AllowEncodedSlashes does *not* decode the slashes.  That would be a
major security whole.  It simply allows the request through rather
than rejecting it outright.

> I've tried
> directives from mod_alias to rewrite the encoded slashes to real ones but
> it doesn't appear to work. I'm guessing I've got the syntax wrong somehow:
> #Alias /MISC%2ftvredirect%2f /MISC/tvredirect/
> #Alias /MISC/tvredirect/ /MISC/tvredirect/

Those are certainly not right, since the second argument to Alias is a
full file-system path, not a URL-path.

This is a rather tricky problem overall, since apache tends to encode
and decode things differently depending on exactly which directives
are used.  Personally, I would try mod_rewrite, where at least you
have the benefit of the RewriteLog to examine exactly what is going

As a worst case, you can always replace your 404 page with a CGI
script that does whatever decoding you want and emits a Location:
header pointing to the correct page.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message