www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Thellend <apache...@robin.pfft.net>
Subject Re: general/7865: %2F in PATH_INFO
Date Thu, 14 Jun 2001 03:15:45 GMT
No where in RFC 2396 does it mention that %2F is illegal in a URI. Like
you say, %2F is a '/' that's not a path seperator.

In my particular example:


%2F should be passed to script 'foo.php' unaltered and it is up to the
script the interpret the meaning of it.

The security concerns should be limited to accessing the filesystem. Then
and only then should you make sure there is no %2F in the path. However,
in my example, the filesystem access ends at foo.php. Everything else
after it has nothing to do with accessing a file and should be passed to
the script.

Thank you for your time.

On 14 Jun 2001 wrowe@apache.org wrote:

> Synopsis: %2F in PATH_INFO
> State-Changed-From-To: open-closed
> State-Changed-By: wrowe
> State-Changed-When: Wed Jun 13 17:38:40 PDT 2001
> State-Changed-Why:
> Please read this section of RFC2616 _very_ carefully.
>    Characters other than those in the "reserved" and "unsafe" sets (see
>    RFC 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.
>    For example, the following three URIs are equivalent:
>       http://abc.com:80/~smith/home.html
>       http://ABC.com/%7Esmith/home.html
>       http://ABC.com:/%7esmith/home.html
> According to this standard, %2F is _not_ equivilant to '/'.
> In fact, the '/' is defined a uri resource segment seperator
> while %2F remains entirely undefined.  It's a '/' that is
> defined as 'not a path seperator'.
> That meaning is bogus to httpd, so it is disallowed.
> This behavior, for security reasons, is by design.

View raw message