You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ics.uci.edu> on 1997/11/24 07:09:18 UTC
Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
>LocationMatch/Location do collapse double slashes, but I consider this to
>be a bug. They are documented to work in the URI space, not in the
>filespace.
Yep, that's a bug. Dean's analysis matches what I would have said.
>RFC1738, RFC1808, and Roy's new draft appear silent on the issue.
"/" never equals "//". The only reason we collapse them for matches
against Directory sections is security within the filesystem mapping.
If the string is modified, the result should be a redirect or rejection.
A "//" is meaningful for all resource namespaces not aligned with the
filesystem, and that's the case for what mod_rewrite is doing.
....Roy
Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
Posted by Dean Gaudet <dg...@arctic.org>.
On Mon, 24 Nov 1997, Dirk-Willem van Gulik wrote:
> I am too getting a bit worried about all this. Filespace and URI space
> most certainly are not a bi-jection, should not be, and will most likely
> never be. Lets please, please be very carefull; when passing and handling
> URI's (and partial URI's) for cgi, include, rewrite, i.e. anywhere where
> it is not the final (injection) transformation to a file, it should be
> considered quite opaque. Including even the '#' and '?' :-)
Right, there was another PR recently complaining that a CGI can't pass
back # in a Location. If this is the case then I consider it a bug.
There was a search engine CGI once which would insert anchors into a
document, so that when you clicked on a search result link, it could stuff
a #anchor into the URL and send you right to the first match. There's got
to be other uses.
Dean
Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
Posted by Dirk-Willem van Gulik <di...@elect6.jrc.it>.
On Sun, 23 Nov 1997, Roy T. Fielding wrote:
> >LocationMatch/Location do collapse double slashes, but I consider this to
> >be a bug. They are documented to work in the URI space, not in the
> >filespace.
>
> Yep, that's a bug. Dean's analysis matches what I would have said.
> >RFC1738, RFC1808, and Roy's new draft appear silent on the issue.
>
> "/" never equals "//". The only reason we collapse them for matches
> against Directory sections is security within the filesystem mapping.
> If the string is modified, the result should be a redirect or rejection.
> A "//" is meaningful for all resource namespaces not aligned with the
> filesystem, and that's the case for what mod_rewrite is doing.
>
I am too getting a bit worried about all this. Filespace and URI space
most certainly are not a bi-jection, should not be, and will most likely
never be. Lets please, please be very carefull; when passing and handling
URI's (and partial URI's) for cgi, include, rewrite, i.e. anywhere where
it is not the final (injection) transformation to a file, it should be
considered quite opaque. Including even the '#' and '?' :-)
Dw.