Re: [Agavi-Tickets] [Agavi] #690: Investigate possible impact of Apache Issue 34602, fixed in Apache HTTP Server 2.2.8, on routing

Sun, 07 Sep 2008 11:36:19 -0700 

#690: Investigate possible impact of Apache Issue 34602, fixed in Apache HTTP
Server 2.2.8, on routing
---------------------+------------------------------------------------------
 Reporter:  david    |        Owner:  david   
     Type:  task     |       Status:  assigned
 Priority:  normal   |    Milestone:          
Component:  routing  |      Version:  0.11.0  
 Severity:  normal   |   Resolution:          
 Keywords:           |    Has_patch:  0       
---------------------+------------------------------------------------------
Changes (by david):

  * milestone:  0.11.3 =>


Comment:

 removing milestone. bug still exists in apache, see
 https://issues.apache.org/bugzilla/show_bug.cgi?id=45529 - we'll have to
 wait for it to be really fixed to start playinging around with it.

 once it works as advertised, I believe we can take advantage of it and
 start mandating it in Agavi itself.

 http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteflags has an
 example:
   ''''B' (escape backreferences)'''
   Apache has to unescape URLs before mapping them, so backreferences will
 be unescaped at the time they are applied. Using the {{{B}}} flag, non-
 alphanumeric characters in backreferences will be escaped. For example,
 consider the rule:
   {{{
 RewriteRule ^(.*)$ index.php?show=$1
 }}}
   This will map {{{/C++}}} to {{{index.php?show=/C++}}}. But it will also
 map {{{/C%2b%2b}}} to {{{index.php?show=/C++}}}, because the {{{%2b}}} has
 been unescaped. With the {{{B}}} flag, it will instead map to
 {{{index.php?show=/C%2b%2b}}}.

   This escaping is particularly necessary in a proxy situation, when the
 backend may break if presented with an unescaped URL.

 This is something I have observed as well, and I believe it's a real
 problem, so for an Apache version that has a properly working {{{B}}} flag
 implementation, we should require people to use the flag. At the moment,
 there's special code inside {{{AgaviWebRouting}}} to handle this behavior
 of Apache.

-- 
Ticket URL: <http://trac.agavi.org/ticket/690#comment:8>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5


_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets

Reply via email to