On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem <rpl...@apache.org> wrote: > > > > On 6/24/20 1:27 PM, Eric Covener wrote: > >> > >> ProxyMappingDecoded is not needed anymore (and was removed). > >> The mapping= tells mod_proxy at which stage ([pre_]translate) it > >> should map the request path. > > +1 > > > > Getting back to an old topic. Shouldn't we have a directive similar to > AllowEncodedSlashes that allows us to block URI's that contain > URL fragments like /.; and /..; in order to avoid that someone plays > silly games that bypass Location settings and RewriteRules > that might be used with a servlet engine in the backend? Happy > to have that set to a default that allows /.; and /..;.
+, but I'd want the safer default.