On Sep 13, 2007, at 12:30 PM, Nick Kew wrote:
On Thu, 13 Sep 2007 07:45:06 -0700
"Roy T. Fielding" <[EMAIL PROTECTED]> wrote:
Changes to the request URI must be referred back to the client in the
form of a redirect. Any other choice will cause security holes in
the request chain, somewhere.
Mapping URLs internally is the server's business.
Mapping /a/../b/foo to /b/foo is a change of URL if and only
if it uses an HTTP redirect. If it happens internally, it's
an equivalence between the two URLs.
An origin server is just fine with such an equivalence, but
The proxy (when acting as a proxy) must not change the URI.
This is exactly the bug I'm looking to fix.
The reverse proxy (gateway) is just an origin server with a
stupid name -- it must send a redirect if it makes the above
change to a URI.
That would then be handled at the uri_decode stage, before
mod_proxy ever looks at it.
But doesn't the patch affect the behavior of ProxyPass (reverse
proxy or gateway) and not Apache when being a "real" proxy server?
