DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779 Need to reject malformed href strings send by webdav client Summary: Need to reject malformed href strings send by webdav client Product: Apache httpd-2.0 Version: 2.0.47 Platform: Other OS/Version: Linux Status: NEW Severity: Normal Priority: Other Component: mod_dav AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] I have encountered two problems in using the Web Folders in XP Pro to manipulate files hosted on a webdav-enabled webserver. The server is apache2.0.47 with the mod_dav modules and runs under linux. The first problem is that XP does not escape the '#' character with a '%23' as part of the path segment. This is a MicroSoft bug in XP as the Win2K version seems to be better behaved. The more serious problem is that the Apache server does not reject such a request and but processes it with some nasty results. In the following example, an authorized client/user has DELETE priviledges on the webdav server. The test file is called '/websites/davtest/#dav_test.html' which is a valid filename in linux, unix and MacOS worlds but not in Windows. When the DELETE submission is made by a Cadaver client or a Win2K client, the following command is issued to the server "DELETE /websites/davtest/%23dav_test.html HTTP/1.1" everything works as it should. However, when a DELETE submission is made by XP Pro, the server receives "DELETE /websites/davtest/#23dav_test.html" which is doesn't escape the # character. The server accepts the command and proceeds to delete the following #23dav_test.html all files in the /davtest directory the parent directory (davtest). A server-based solution seems to be in order. Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
