Re: svn commit: r1069603 - /httpd/httpd/branches/2.2.x/STATUS

[Dan Poirier <po...@pobox.com>]

On Thu. 2011-02-10 at 05:57 PM EST, wrowe@apache.org wrote:

> Author: wrowe
> Date: Thu Feb 10 22:57:02 2011
> New Revision: 1069603
...
>  
>    * core: Add NoDecode option to AllowEncodedSlashes to turn off decoding
>      of encoded slashes in path info.  (This is already the behavior of
> @@ -192,11 +192,18 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>        Backport version for 2.2.x of patch:
>           http://people.apache.org/~poirier/AllowEncodedSlashes.22.patch
>        +1 poirier, jim
> +      +.1 wrowe; this essentially causes "%2F" -> "%2F" -> "%252F" to any backend,
> +                 as mentioned previously trunk is broken and decoding to 'something'
> +                 is necessary for routing such.  %2F cannot be distinguished from
> +                 %252F on the front end, adding risks.  All this said, not against 
> +                 an optional broken feature if this warning is placed in the docs.
> +                 Non-optional broken features are worse :)
> +                 Trunk must be patched identically.

Bill, patching trunk identically would change the behavior of
"AllowEncodedSlashes On" in trunk from not decoding %2F to decoding %2F.
Before doing that, I wanted to double-check that was the intention, and
make sure nobody else objected to that behavior change in trunk.

(Background for those who haven't been following along: In trunk,
AllowEncodedSlashes On does not decode %2F.  In 2.2.x,
AllowEncodedSlashes On does decode %2F.  The proposed patch to 2.2.x
would add another option in 2.2.x, AllowEncodedSlashes NoDecode, which
would allow the encoded slashes but not decode them.)

Dan