>Number: 3589 >Category: mod_cgi >Synopsis: Apache rejects URLs that contain a '%2f' instead of '/' >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Dec 26 16:10:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 >Environment: SunOS noel.cs.rice.edu 5.5.1 Generic_103640-17 sun4u sparc SUNW,Ultra-1 >Description: I have previously filed a bug report saying that Apache refuses arguments to CGI scripts in the URL containing '%2f'. The reply was that Apache refuses to accept '%2f' in URL so that CGI scripts may not unknowingly allow something where a '/' would've called for refusal.
My point is that Apache always unescapes the arguments before passing them to a CGI script. So a %2f in the URL would be seen by the CGI as a '/' and it is free to refuse corresponding access. I think Apache's intent should be to refuse a %2f in the UNESCAPED URL. That is, if a %2f is further escaped into %25%32%66, Apache would unescape it - so it'll become %2f and then it'll be passed to the cgi script. So Apache shouldn't be rejecting URLs containing a %2f - it should be rejecting URLs containing a %25%32%66 sequence. >How-To-Repeat: Try the following with the default Apache 1.3.3 distribution: http://serverhost/cgi-bin/printenv/a/a/ -> allowed http://serverhost/cgi-bin/printenv/a%2fa/ -> disallowed http://serverhost/cgi-bin/printenv/a%25%32%66a/ -> allowed (look at PATH_INFO) >Fix: The fix is to modify function ap_unescape_url() in src/util.c so that it doesn't reject %2f in the original URL but rather rejects %2f in the unescaped URL. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
