On Sun, 9 Sep 2007 01:21:29 +0100 Nick Kew <[EMAIL PROTECTED]> wrote:
> PR 41798 and many related ones (eg 39746, 38980 - both of which I've > closed today) show a history of incorrect URL-unescaping in mod_proxy. Since then I've found several more duplicates in bugzilla. Furthermore, it's not limited to mod_proxy, as evidenced by PR#35256 (which I was on the point of entering anew when I found it). The simple patch to 35256 fixes the specific instance of un-breaking AllowEncodedSlashes, but what proxy could use is to be able to generalise that: maybe AllowEncodedChars [whatever]. There's a related class of issues concerning URLs and charset, in PR#18805 and PR#32730. This could probably be hacked around by pre-processing URLs in a post_read_request hook, but it would seem cleaner to tackle it when we run ap_unescape_url. I wonder if there's a case for an unescape_url hook, or for the existing unescape_url to be punted to a post_read_request function? -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
