DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35256>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35256 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #15682|0 |1 is obsolete| | ------- Additional Comments From [EMAIL PROTECTED] 2007-09-12 06:12 ------- Created an attachment (id=20796) --> (http://issues.apache.org/bugzilla/attachment.cgi?id=20796&action=view) Patch allows letting %2f and %2c to pass unmolested in urldecode. The docs state that: The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on according systems) to be used. Normally such URLs are refused with a 404 (Not found) error. Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO. Allowing encoded slashes does not imply decoding. Occurrences of %2F or %5C (only on according systems) will be left as such in the otherwise decoded URL string. But the unpatched ap_unescape_url_keep2f does not behave that way. It goes ahead and decrypts all the encoded chars found. The patch attached checks for both %2f and %2c, and if either of the above, lets them pass unchanged. Note that I did not use IS_SLASH to check as I do not understand why this needs to be system dependent. Especially since the apache may be acting as a reverse proxy whose origin server might be on a system with a different separator. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
