https://issues.apache.org/bugzilla/show_bug.cgi?id=35256
--- Comment #13 from Will Rowe <[email protected]> 2010-03-09 20:37:30 UTC --- My question is; what is adding the string %2f to the token? If the string needs to be the Literal Text, e.g. a file names foo%2fbar, that URL is only valid if the '%' is escaped by the client. E.g. to retrieve /foo%2fbar - the string /foo%252fbar must be passed as the request URI. It isn't a question of accepting '%2F' but a question of passing the percent as an encoded literal; refer to http://tools.ietf.org/html/rfc2396 section 2.4.2; Because the percent "%" character always has the reserved purpose of being the escape indicator, it must be escaped as "%25" in order to be used as data within a URI. Implementers should be careful not to escape or unescape the same string more than once, since unescaping an already unescaped string might lead to misinterpreting a percent data character as another escaped character, or vice versa in the case of escaping an already escaped string. The reason %2f or %5C are decrypted goes to this statement; In some cases, data that could be represented by an unreserved character may appear escaped; for example, some of the unreserved "mark" characters are automatically escaped by some systems. If the given URI scheme defines a canonicalization algorithm, then unreserved characters may be unescaped according to that algorithm. For example, "%7e" is sometimes used instead of "~" in an http URL path, but the two are equivalent for an http URL. The keyword here is 'equivalent'. httpd cannot preserve the %2F text while allowing safe reencoding/redecoding. If the client is failing to escape '%' that is a client flaw; please mention what the origin of this filename pattern is. A form submission? We concur the documentation is entirely broken and needs to be revisited. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
