On Tue, May 9, 2023 at 2:10 PM Yann Ylavic <ylavic....@gmail.com> wrote: > > On Tue, May 9, 2023 at 12:55 PM Ruediger Pluem <rpl...@apache.org> wrote: > > > > On 5/9/23 12:16 PM, Eric Covener wrote: > > > Still getting feedback in the PR about breakage. Any thoughts on options > > > here, like allowing spaces or encoding rather than failing? > > > > Allowing spaces is out of question for me as it creates an invalid request > > and opens the door to response splitting. At best we > > could encode automatically. It is really a good question if we could not > > make BCTLS the default. > > BCTLS by default looks fine to me, it changes the behaviour for users > that (used to) expect/handle decoded spaces in the query-string in > their scripts, but it's blocked now anyway..
Hm, actually we don't really know where the backref is placed (either in the uri-path or in the query-string), so escaping unconditionally might lead to double-escaping in the uri-path. Maybe it's simpler to remove the check and leave it to mod_proxy only.. > > > Regards; > Yann.
