"Roy T. Fielding" wrote: > > Your patch will simply let the %2F through, but then a later section > of code will translate them to / and we've opened a security hole > in the main server. I'd rather move the rejection code to the > place where a decision has to be made (like the directory walk), > but I have no time to do it myself. I think it is reasonable to > allow %2F under some circumstances, but only in content handlers > and only as part of path-info and not within the real directory > structure.
is this a veto? because i'd like to understand how this 'opens a security hole' available to client-side exploitation without server-side deficiencies (such as a poorly-coded cgi script). if there is none, i don't see why this cannot go in as a starting point.