The following reply was made to PR mod_cgi/3581; it has been noted by GNATS.
From: Mohit Aron <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of / Date: Thu, 24 Dec 1998 11:46:58 -0600 (CST) > > This is intentional. The presumption is that such > encoded slashes are being used as a form of attack, to > access restricted portions of the system that would > automatically be denied if the unencoded slash were > used. The current version of the CGI spec (under > development at <http://Web.Golux.Com/coar/cgi/>) says > that the server can impose whatever restrictions it > likes upon PATH_INFO. It's unclear whether rejecting > the request (as Apache currently does) is preferable to > invoking the script with PATH_INFO reduced to an empty > string. PATH_TRANSLATED is closely related. > This doesn't make sense. Whey not unencode the slashes and then check whether access is to be allowed - rather than simply rejecting the URL if it contains encoded slashes ? I'm trying to configure the Technical Reports server for the Department of Computer Science at Rice University. This server interacts with the world through a CGI interface and some of the commands that it gets have encoded slashes. The sofware is called 'Dienst' and most major Universities run it - its available from http://www.ncstrl.org/Dienst/htdocs/Info/about-ncstrl.html. Is it at least possible to let the rejection of encoded URLs be determined on a per-site basis - i.e. through an option in the configuration file of Apache ? - Mohit
