Received: (qmail 25474 invoked by uid 2012); 13 Jul 1998 08:35:01 -0000
Message-Id: <19980713083501.25473.qmail@hyperreal.org>
Date: 13 Jul 1998 08:35:01 -0000
From: Andrei Petrescu <root@s2.rnc.ro>
Reply-To: root@s2.rnc.ro
To: apbugs@hyperreal.org
Subject: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
X-Send-Pr-Version: 3.2

>Number:         2602
>Category:       protocol
>Synopsis:       GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          closed
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul 13 01:40:01 PDT 1998
>Last-Modified:  Thu Jul 16 17:40:00 PDT 1998
>Originator:     root@s2.rnc.ro
>Organization:
>Release:        1.2.1
>Environment:
It's not an os problem, it's in the URL parser of apache (the %hh stuff for
quoting special hex characters; HTTP standard says that URL's containing
%hh quoted characters should be equivalent to the ones containing the characters
themselves) 
>Description:
If some browser requests a CGI using %3F instead of '?',Apache will parse
the URL incorrectly and mistakenly search for a file containing '?' 
(e.g. cginame?xxx=yyy/zzz/ttt)

It is true that most browsers never use %3f with a cgi, but I need this
in order to enable windoze clients to download generated files (otherwise
windows will goof up the filename putting the cginame and a ? instead).
So, I modified another cgi to yield url's like
http://server.name.dom/cgi-bin/cginame%3Ffilename=/path/file.ext
so that netscape for windoze will use file.ext instead of cginame? as the
filename for d/l. But now apache says 404 not found, and a system trace 
says apache looks for cginame?filename=/path/file.ext and gets ENOENT.
Did you fix this problem in 1.6.* ?
If not, can you fix it ?
>How-To-Repeat:
Try to replace ? by %3f in a cgi name and load it like that, it will
fail.
>Fix:
When parsing an URL, replace the %xx characters before anything else, especially before searching 
the cgi file.
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: marc
State-Changed-When: Thu Jul 16 00:11:59 PDT 1998
State-Changed-Why:
The current behaviour is correct.  As URL specs detail,
'?' is a reserved character which are reserved for special
meaning.

For example, see section 2.2 of RFC-1738.

You can _not_ encode all characters, and encoding a
reserved character can and (in this case) does change
the semantics of the particular URL.

From: Marc Slemko <marcs@znep.com>
To: Apache bugs database <apbugs@apache.org>
Cc:  Subject: Re: protocol/2602: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param... (fwd)
Date: Thu, 16 Jul 1998 17:26:55 -0700 (PDT)

 ---------- Forwarded message ----------
 Date: Thu, 16 Jul 1998 18:15:01 +0300 (EET DST)
 From: Super-User <root@s2.rnc.ro>
 To: marc@hyperreal.org
 Subject: Re: protocol/2602: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
 
 
 > 
 > Synopsis: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
 > 
 > State-Changed-From-To: open-closed
 > State-Changed-By: marc
 > State-Changed-When: Thu Jul 16 00:11:59 PDT 1998
 > State-Changed-Why:
 > The current behaviour is correct.  As URL specs detail,
 > '?' is a reserved character which are reserved for special
 > meaning.
 > 
 > For example, see section 2.2 of RFC-1738.
 > 
 > You can _not_ encode all characters, and encoding a
 > reserved character can and (in this case) does change
 > the semantics of the particular URL.
 
 O.K. could be. 
 Now what do you suggest I should use to make Windoze clients
 download cgi results correctly (i.e. use the last part of the url
 and NOT the cgi name) ?
 Or any other solution to restrict access to files based on IP of the client
 and NOT on passwords (those could be sniffed) ?
 Or any means to hack the apache code to accept parsing of %3F in cgi's ?
 Last but not least, would it hurt if this parsing of reserved characters
 (at least '?') would be an option in the apache config file ?(although
 I haven't met yet any cgi containing '?' in it's name)
 
 
 I'd be very greatful if you could help me stop getting bugged by windozers
 wanting to d/l restricted files.
 (on my unix box, netscape does the downloads just o.k., it does not choke
 on the question mark).
 
 Andrei P
 
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]