Received: (from majordom@localhost) by hyperreal.com (8.8.5/8.8.5) id LAA15926; Sun, 4 May 1997 11:40:06 -0700 (PDT) Received: (from gnats@localhost) by hyperreal.com (8.8.5/8.8.5) id LAA15832; Sun, 4 May 1997 11:40:01 -0700 (PDT) Date: Sun, 4 May 1997 11:40:01 -0700 (PDT) Message-Id: <199705041840.LAA15832@hyperreal.com> From: Marc Slemko Reply-To: Marc Slemko To: apache-bugdb@apache.org Cc: apache-bugdb@apache.org Subject: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO In-Reply-To: Your message of Sun, 4 May 1997 11:37:21 -0700 (PDT) <199705041837.LAA15486@hyperreal.com> Sender: apache-bugdb-owner@apache.org Precedence: bulk >Number: 543 >Category: mod_cgi >Synopsis: "%2F" not allowed in VGI script PATH_INFO >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun May 4 11:40:00 1997 >Originator: marcs@znep.com >Organization: apache >Release: 1.2b? >Environment: N/A [entered from mail to make a formal PR] >Description: If foo is a script, and you try to access foo/bar/baz, it will run foo and pass /bar/baz as PATH_INFO. If you try to access foo/bar%2fbaz, it will return NOT_FOUND because of unescape_url in util.c: if (url[x] == '/' || url[x] == '\0') badpath = 1; Smells like a bug. Once again (sigh) no time to look more deeply, would appreciate if someone familiar with that area take a look... >How-To-Repeat: >Fix: [paraphrase from Roy] If you reduce all %2f occurrences to '/' before doing any processing on the path, that should do it - at the expense of not being able to handle any filenames that actually include '/' >Audit-Trail: >Unformatted: