You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ics.uci.edu> on 1997/11/24 07:09:18 UTC

Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

>LocationMatch/Location do collapse double slashes, but I consider this to
>be a bug.  They are documented to work in the URI space, not in the
>filespace. 

Yep, that's a bug.  Dean's analysis matches what I would have said.

>RFC1738, RFC1808, and Roy's new draft appear silent on the issue. 

"/" never equals "//".  The only reason we collapse them for matches
against Directory sections is security within the filesystem mapping.
If the string is modified, the result should be a redirect or rejection.
A "//" is meaningful for all resource namespaces not aligned with the
filesystem, and that's the case for what mod_rewrite is doing.

....Roy

Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

Posted by Dean Gaudet <dg...@arctic.org>.

On Mon, 24 Nov 1997, Dirk-Willem van Gulik wrote:

> I am too getting a bit worried about all this. Filespace and URI space
> most certainly are not a bi-jection, should not be, and will most likely
> never be. Lets please, please be very carefull; when passing and handling
> URI's (and partial URI's) for cgi, include, rewrite, i.e. anywhere where
> it is not the final (injection) transformation to a file, it should be
> considered quite opaque. Including even the '#' and '?' :-)

Right, there was another PR recently complaining that a CGI can't pass
back # in a Location.  If this is the case then I consider it a bug. 
There was a search engine CGI once which would insert anchors into a
document, so that when you clicked on a search result link, it could stuff
a #anchor into the URL and send you right to the first match.  There's got
to be other uses. 

Dean

Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

Posted by Dirk-Willem van Gulik <di...@elect6.jrc.it>.

On Sun, 23 Nov 1997, Roy T. Fielding wrote:

> >LocationMatch/Location do collapse double slashes, but I consider this to
> >be a bug.  They are documented to work in the URI space, not in the
> >filespace. 
> 
> Yep, that's a bug.  Dean's analysis matches what I would have said.
> >RFC1738, RFC1808, and Roy's new draft appear silent on the issue. 
> 
> "/" never equals "//".  The only reason we collapse them for matches
> against Directory sections is security within the filesystem mapping.
> If the string is modified, the result should be a redirect or rejection.
> A "//" is meaningful for all resource namespaces not aligned with the
> filesystem, and that's the case for what mod_rewrite is doing.
> 

I am too getting a bit worried about all this. Filespace and URI space
most certainly are not a bi-jection, should not be, and will most likely
never be. Lets please, please be very carefull; when passing and handling
URI's (and partial URI's) for cgi, include, rewrite, i.e. anywhere where
it is not the final (injection) transformation to a file, it should be
considered quite opaque. Including even the '#' and '?' :-)

Dw.