>Number: 876
>Category: general
>Synopsis: path-info should not be urlencoded
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Jul 17 07:40:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release:
>Environment:
linux, solaris, sunos
>Description:
apache urldecodes path-info but not query strings.
the upshot is that cgi-scripts lack information about what was really
sent to the server since the urldecoder does not fail when there are
characters that should have been encoded.
You should not urlencode
>How-To-Repeat:
make a cgi that prints the environment
try typing:
http://server.com/cgi-bin/printenv/foo%20goo/doo=hoo%20goo
>Fix:
turn off url-decoding of path-info or make it a config option
1. no urldecoding of path-info
2. urldecoding only for correctly encoded path-info
3. urldecoding of all path-info (current behavior%2
>Audit-Trail:
>Unformatted:
