www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of /
Date Thu, 24 Dec 1998 17:40:24 GMT
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]

Synopsis: CGI scripts never get invoked if the URL contains %2f instead of /

State-Changed-From-To: open-analyzed
State-Changed-By: coar
State-Changed-When: Thu Dec 24 09:40:23 PST 1998

This is intentional.  The presumption is that such
encoded slashes are being used as a form of attack, to
access restricted portions of the system that would
automatically be denied if the unencoded slash were
used.  The current version of the CGI spec (under
development at <http://Web.Golux.Com/coar/cgi/>) says
that the server can impose whatever restrictions it
likes upon PATH_INFO.  It's unclear whether rejecting
the request (as Apache currently does) is preferable to
invoking the script with PATH_INFO reduced to an empty
string.  PATH_TRANSLATED is closely related.

Category-Changed-From-To: general-mod_cgi
Category-Changed-By: coar
Category-Changed-When: Thu Dec 24 09:40:23 PST 1998

View raw message