You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Jerry Stratton <ns...@hoboes.com> on 1998/03/30 20:25:33 UTC

general/2018: QUERY_STRING parses %xx in SSI

>Number:         2018
>Category:       general
>Synopsis:       QUERY_STRING parses %xx in SSI
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar 30 10:30:01 PST 1998
>Last-Modified:
>Originator:     nspace@hoboes.com
>Organization:
apache
>Release:        Apache/1.2b11-dev IOCOM/2.0.v PHP/2.0b11 PyApache/2.25
>Environment:
Linux langley.io.com 2.0.32 #1 Tue Dec 9 16:16:54 CST 1997 i686
>Description:
When cgis are called as SSI (exec cgi), or when ENVs are accessed via SSI (echo), QUERY_STRING and QUERY_STRING_UNESCAPED have %xx converted to their respective characters.



As a side note, include virtual loses QUERY_STRING entirely, although it does have QUERY_STRING_UNESCAPED.
>How-To-Repeat:
http://www.hoboes.com/jerry/test.shtml?God=Excitable%20Boy&Bob=John%20Wesley

   will show all the ways that SSIs have the % characters parsed

http://www.hoboes.com/cgi-bin/Test.cgi?God=Excitable%20Boy&Bob=John%20Wesley

   will show the same cgi directly, with % characters not parsed, which I assume is the way it is supposed to be.
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]