[In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
Synopsis: CGI scripts never get invoked if the URL contains %2f instead of / State-Changed-From-To: open-analyzed State-Changed-By: coar State-Changed-When: Thu Dec 24 09:40:23 PST 1998 State-Changed-Why: This is intentional. The presumption is that such encoded slashes are being used as a form of attack, to access restricted portions of the system that would automatically be denied if the unencoded slash were used. The current version of the CGI spec (under development at <http://Web.Golux.Com/coar/cgi/>) says that the server can impose whatever restrictions it likes upon PATH_INFO. It's unclear whether rejecting the request (as Apache currently does) is preferable to invoking the script with PATH_INFO reduced to an empty string. PATH_TRANSLATED is closely related. Category-Changed-From-To: general-mod_cgi Category-Changed-By: coar Category-Changed-When: Thu Dec 24 09:40:23 PST 1998
