On 5/9/23 12:16 PM, Eric Covener wrote:
> Still getting feedback in the PR about breakage. Any thoughts on options
> here, like allowing spaces or encoding rather than failing?
Allowing spaces is out of question for me as it creates an invalid request and
opens the door to response splitting. At best we
could encode automatically. It is really a good question if we could not make
BCTLS the default.
>
> ---------- Forwarded message ---------
> From: *Ivan Zahariev* <notificati...@github.com
> <mailto:notificati...@github.com>>
> Date: Tue, May 9, 2023, 5:25 AM
> Subject: Re: [apache/httpd] don't forward invalid query strings (d78a166)
> To: apache/httpd <ht...@noreply.github.com <mailto:ht...@noreply.github.com>>
> Cc: Eric Covener <cove...@apache.org <mailto:cove...@apache.org>>, Mention
> <ment...@noreply.github.com
> <mailto:ment...@noreply.github.com>>
>
>
> Hi @covener <https://github.com/covener>. This is impacting lots of existing
> websites already.
>
> What is the downside if BCTLS can be enabled by default with an Apache config
> option, and there is a new flag to disable it in
> each RewriteRule in the rare case where we need to forward a non-encoded URL?
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51#commitcomment-112499050>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAG5WPKUFT7PN7ND5BMAD5TXFIEQBANCNFSM6AAAAAAV34NVFM>.
> You are receiving this because you were mentioned.Message ID:
> <apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51/112499...@github.com>
>
Regards
Rüdiger
