You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/07/17 02:40:00 UTC

Re: protocol/2602: GET /cgi-bin/cginame%3Fparam=/path/filename does not replace %3f before searching cginame?param... (fwd)

The following reply was made to PR protocol/2602; it has been noted by GNATS.

From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc:  Subject: Re: protocol/2602: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param... (fwd)
Date: Thu, 16 Jul 1998 17:26:55 -0700 (PDT)

 ---------- Forwarded message ----------
 Date: Thu, 16 Jul 1998 18:15:01 +0300 (EET DST)
 From: Super-User <ro...@s2.rnc.ro>
 To: marc@hyperreal.org
 Subject: Re: protocol/2602: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
 
 
 > 
 > Synopsis: GET /cgi-bin/cginame%3Fparam=/path/filename  does not replace %3f before searching cginame?param...
 > 
 > State-Changed-From-To: open-closed
 > State-Changed-By: marc
 > State-Changed-When: Thu Jul 16 00:11:59 PDT 1998
 > State-Changed-Why:
 > The current behaviour is correct.  As URL specs detail,
 > '?' is a reserved character which are reserved for special
 > meaning.
 > 
 > For example, see section 2.2 of RFC-1738.
 > 
 > You can _not_ encode all characters, and encoding a
 > reserved character can and (in this case) does change
 > the semantics of the particular URL.
 
 O.K. could be. 
 Now what do you suggest I should use to make Windoze clients
 download cgi results correctly (i.e. use the last part of the url
 and NOT the cgi name) ?
 Or any other solution to restrict access to files based on IP of the client
 and NOT on passwords (those could be sniffed) ?
 Or any means to hack the apache code to accept parsing of %3F in cgi's ?
 Last but not least, would it hurt if this parsing of reserved characters
 (at least '?') would be an option in the apache config file ?(although
 I haven't met yet any cgi containing '?' in it's name)
 
 
 I'd be very greatful if you could help me stop getting bugged by windozers
 wanting to d/l restricted files.
 (on my unix box, netscape does the downloads just o.k., it does not choke
 on the question mark).
 
 Andrei P