You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ICS.UCI.EDU> on 1997/03/07 17:54:30 UTC
Re: [BUG]: "unescape_url don't convert '+' to blank" on Linux (fwd)
>> From nobody@hyperreal.com Tue Feb 25 14:23:58 1997
>> Message-Id: <19...@taz.hyperreal.com>
>> From: richter@ecos.de
>> To: awm@qosina.com
>> Date: Tue Feb 25 11:24:10 1997
>> Subject: [BUG]: "unescape_url don't convert '+' to blank" on Linux
>>
>> Submitter: richter@ecos.de
>> Operating system: Linux, version: 2.0.26
>> Version of Apache Used: 1.2b7
>> Extra Modules used: mod_perl
>> URL exhibiting problem:
>>
>> Symptoms:
>> --
>> unescape_url don't convert the plus sign to blank. This makes trouble when u
>sing it to unescape form contents, which may contain blanks. The following pat
>ch to util.c should fix the problem:
>>
>> --- util.c.orig Tue Feb 25 13:17:58 1997
>> +++ util.c Tue Feb 25 15:33:46 1997
>> @@ -744,7 +744,8 @@
>> badesc = 0;
>> badpath = 0;
>> for(x=0,y=0;url[y];++x,++y) {
>> - if (url[y] != '%') url[x] = url[y];
>> + if (url[y] == '+') url[x] = ' ';
>> + else if (url[y] != '%') url[x] = url[y];
>> else
>> {
>> if (!isxdigit(url[y+1]) || !isxdigit(url[y+2]))
>>
That patch will cause your server to fail on any file/directory
name that contains a "+" (a perfectly legal filename character on Unix).
unescape_url is not intended to unescape the query info part of a URL,
and the CGI is capable of doing that on its own anyway.
.....Roy [that's a big -1, dudes]