On 4/11/23 11:36 PM, cove...@apache.org wrote:
> Author: covener
> Date: Tue Apr 11 21:36:55 2023
> New Revision: 1909073
>
> URL: http://svn.apache.org/viewvc?rev=1909073&view=rev
> Log:
> PR66563: escaping of url releated server vars
>
> Modified:
> httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> httpd/httpd/trunk/docs/manual/rewrite/flags.xml
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml?rev=1909073&r1=1909072&r2=1909073&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml Tue Apr 11 21:36:55 2023
> @@ -661,7 +661,11 @@ AliasMatch "^/myapp" "/opt/myapp-1.2.3"
> <dd>The path component of the requested URI,
> such as "/index.html". This notably excludes the
> query string which is available as its own variable
> - named <code>QUERY_STRING</code>.</dd>
> + named <code>QUERY_STRING</code>. The value returned for
> + both <code>REQUEST_URI</code> and <code>QUERY_STRING</code>
Are you sure that QUERY_STRING is decoded? IMHO QUERY_STRING returns r->args
which is not decoded.
> + has already been %-decoded, to re-encoded it pass it
> through
> + the "escape" <a href="#mapfunc">mapping-function</a>.
> + </dd>
>
> <dt><code>THE_REQUEST</code></dt>
>
Regards
RĂ¼diger
