You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by co...@apache.org on 1998/12/24 18:40:24 UTC

Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of /

[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]


Synopsis: CGI scripts never get invoked if the URL contains %2f instead of /

State-Changed-From-To: open-analyzed
State-Changed-By: coar
State-Changed-When: Thu Dec 24 09:40:23 PST 1998
State-Changed-Why:

This is intentional.  The presumption is that such
encoded slashes are being used as a form of attack, to
access restricted portions of the system that would
automatically be denied if the unencoded slash were
used.  The current version of the CGI spec (under
development at <http://Web.Golux.Com/coar/cgi/>) says
that the server can impose whatever restrictions it
likes upon PATH_INFO.  It's unclear whether rejecting
the request (as Apache currently does) is preferable to
invoking the script with PATH_INFO reduced to an empty
string.  PATH_TRANSLATED is closely related.

Category-Changed-From-To: general-mod_cgi
Category-Changed-By: coar
Category-Changed-When: Thu Dec 24 09:40:23 PST 1998