Jeff Trawick writes: > > scheme: @localhost, path: :8880 > > not a valid scheme; apr_uri_parse should have failed it for that > reason (needs to start with lower case, continue with lower case or > digit or +.-)
... > so: does fixing apr_uri_parse() resolve these? not generally (but I > opened bug 52479 to track the bogus scheme issue) I agree that rejecting @localhost::8880 as invalid in apr_uri_parse() because of the invalid scheme character does not resolve this issue. Actually, the leading @ in that URI is misleading, as it's not needed for the attack. localhost: or even http: should work equally well (both result in non-NULL scheme and allow path starting with a character different from /). -- Tomas Hoger
