I'm not really an expert in this stuff, but a couple comments anyway... On 10/3/06, Matt Liggett <matt.liggett@xxxxxxxxxxxxxx> wrote:
AllowEncodedSlashes bug
According to the docs[4],
Allowing encoded slashes does not imply decoding. Occurrences of
%2F or %5C (only on according systems) will be left as such in the
otherwise decoded URL string.
but it is our experience that if a URL like in [3] is passed to
Apache 2, it gets passed to the reverse proxy as
/data/workspaces/ambivalent/pages/either/or
which seems to be a bug.[5]
I don't believe that is really a bug. The docs mean that activating AllowEncodedSlashes does not in itself do any decoding. But if you have other stuff in the works that does decoding, all bets are off. And in general, I don't think the unescaping algorithm has a bug either. RFC2396 section 2.4.2 says " If the given URI scheme defines a canonicalization algorithm, then unreserved characters may be unescaped according to that algorithm." The slash is not a reserved character and hence can be unescaped, according to my reading. And there are good reasons for doing just that. If I were you, the first thing I would try is to make your back-end application deal with this, either by accepting a raw slash, or by generating URLs that use some other character in place of slash. But I have to admit that the escaping unescaping in mod_proxy and mod_rewrite has always mystified me, and I wish it was better documented and more configurable. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|