httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] combining AllowEncodedSlashes, reverse proxy, and apache 1.x
Date Tue, 03 Oct 2006 17:54:14 GMT
I'm not really an expert in this stuff, but a couple comments anyway...

On 10/3/06, Matt Liggett <matt.liggett@socialtext.com> wrote:

> AllowEncodedSlashes bug
>
>   According to the docs[4],
>
>     Allowing encoded slashes does not imply decoding. Occurrences of
>     %2F or %5C (only on according systems) will be left as such in the
>     otherwise decoded URL string.
>
>   but it is our experience that if a URL like in [3] is passed to
>   Apache 2, it gets passed to the reverse proxy as
>
>     /data/workspaces/ambivalent/pages/either/or
>
>   which seems to be a bug.[5]

I don't believe that is really a bug.  The docs mean that activating
AllowEncodedSlashes does not in itself do any decoding.  But if you
have other stuff in the works that does decoding, all bets are off.

And in general, I don't think the unescaping algorithm has a bug
either.  RFC2396 section 2.4.2 says " If the
   given URI scheme defines a canonicalization algorithm, then
   unreserved characters may be unescaped according to that algorithm."

The slash is not a reserved character and hence can be unescaped,
according to my reading.  And there are good reasons for doing just
that.

If I were you, the first thing I would try is to make your back-end
application deal with this, either by accepting a raw slash, or by
generating URLs that use some other character in place of slash.

But I have to admit that the escaping unescaping in mod_proxy and
mod_rewrite has always mystified me, and I wish it was better
documented and more configurable.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message