Received: (qmail 24546 invoked by uid 2012); 26 Dec 1998 22:54:00 -0000 Message-Id: <19981226225400.24545.qmail@hyperreal.org> Date: 26 Dec 1998 22:54:00 -0000 From: Mohit Aron Reply-To: aron@cs.rice.edu To: apbugs@hyperreal.org Subject: Apache rejects URLs that contain a '%2f' instead of '/' X-Send-Pr-Version: 3.2 >Number: 3589 >Category: protocol >Synopsis: Apache rejects URLs that contain a '%2f' instead of '/' >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: duplicate >Submitter-Id: apache >Arrival-Date: Sat Dec 26 16:10:00 PST 1998 >Closed-Date: >Last-Modified: Fri Jun 13 15:01:27 PDT 2003 >Originator: aron@cs.rice.edu >Release: 1.3.3 >Organization: >Environment: SunOS noel.cs.rice.edu 5.5.1 Generic_103640-17 sun4u sparc SUNW,Ultra-1 >Description: I have previously filed a bug report saying that Apache refuses arguments to CGI scripts in the URL containing '%2f'. The reply was that Apache refuses to accept '%2f' in URL so that CGI scripts may not unknowingly allow something where a '/' would've called for refusal. My point is that Apache always unescapes the arguments before passing them to a CGI script. So a %2f in the URL would be seen by the CGI as a '/' and it is free to refuse corresponding access. I think Apache's intent should be to refuse a %2f in the UNESCAPED URL. That is, if a %2f is further escaped into %25%32%66, Apache would unescape it - so it'll become %2f and then it'll be passed to the cgi script. So Apache shouldn't be rejecting URLs containing a %2f - it should be rejecting URLs containing a %25%32%66 sequence. >How-To-Repeat: Try the following with the default Apache 1.3.3 distribution: http://serverhost/cgi-bin/printenv/a/a/ -> allowed http://serverhost/cgi-bin/printenv/a%2fa/ -> disallowed http://serverhost/cgi-bin/printenv/a%25%32%66a/ -> allowed (look at PATH_INFO) >Fix: The fix is to modify function ap_unescape_url() in src/util.c so that it doesn't reject %2f in the original URL but rather rejects %2f in the unescaped URL. >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Sat Dec 26 16:46:21 PST 1998 State-Changed-Why: As mentioned when your previous report was closed, this issue is being tracked in PR #543. It is not considered resolved, but we don't want to have multiple reports of the same problem when the database is available to all. If you wish to provide feedback on the issue, send a message to with a subject of 'Re: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO'. I am closing this report for the same reason. Class-Changed-From-To: sw-bug-duplicate Class-Changed-By: coar Class-Changed-When: Sat Dec 26 16:46:21 PST 1998 Comment-Added-By: coar Comment-Added-When: Fri Jun 13 15:01:27 PDT 2003 Comment-Added: This has been addressed in Apache 2.0.46 through the AllowEncodedSlashes directive. Category-Changed-From-To: mod_cgi-protocol Category-Changed-By: coar Category-Changed-When: Fri Jun 13 15:01:27 PDT 2003 >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]