The following reply was made to PR mod_cgi/3581; it has been noted by GNATS.
From: Mohit Aron <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of / Date: Sat, 26 Dec 1998 16:39:17 -0600 (CST) > > This is intentional. The presumption is that such > encoded slashes are being used as a form of attack, to > access restricted portions of the system that would > automatically be denied if the unencoded slash were > used. The current version of the CGI spec (under > development at <http://Web.Golux.Com/coar/cgi/>) says > that the server can impose whatever restrictions it > likes upon PATH_INFO. It's unclear whether rejecting > the request (as Apache currently does) is preferable to > invoking the script with PATH_INFO reduced to an empty > string. PATH_TRANSLATED is closely related. > Thanks for your earlier reply. I still don't fully understand the concern the Apache developers have. Here are my objections for not permitting a %2f in the URL: 1) Before passing the argument to CGI scripts, all arguments are anyway unescaped. So any %2f characters would have become a '/' anyway and the CGI would be free to discard the arguments upon seeing the '/'. I think your concern applies to the case where the %2f is further escaped - i.e. into %25%32%66. Unfortunately, Apache still allows this sequence to pass. You can try this by: http://server/cgi-bin/printenv/a%25%32%66a/ Look at the PATH_INFO variable returned - it's "/a%2fa/". 2) I do believe that whether or not to discard the %2f is a policy issue and should be left to the CGIs. If my objections seem sound, can you please release a patch for Apache that allows a '%2f'. Thanks, - Mohit
