I checked and the server accepts encoded slashes in query strings, regardless of AllowEncodedSlashes. So we're only concerned here with path info.
Right now in trunk, the default is to not accept encoded slashes, and if you turn AllowEncodedSlashes on, they are not decoded. This seems safe and matches the documentation, so I don't think trunk needs to be changed (unless somebody really needs the 2.x behavior, in which case they could add an option for that, but I don't need that.) In 2.2, the default is to not accept encoded slashes, but if you turn AllowEncodedSlashes On, they are decoded. This is contrary to the documentation and the trunk behavior, and seems potentially unsafe. But just changing to the trunk behavior could break users when they upgrade between 2.2 releases, so I think the best compromise for 2.2 is to add a new option to accept the slashes without decoding them. I have a patch to do that and I'll propose it in 2.2 STATUS for the usual vote. For 2.0, I think backporting whatever is done in 2.2 can be proposed in the usual way if anyone wants it, so we don't need to discuss that here. Thanks for everyone's input on this. Dan