[Yanel-dev] AllowEncodedSlashes Apache httpd reverse proxy
Guillaume Déflache
guillaume.deflache at wyona.com
Fri Dec 4 19:24:21 CET 2009
Michael Wechner schrieb:
> Hi
>
> I have finally figured out how Apache httpd forwards %-encoded slashes:
>
> http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=6849
Beware, it looks like it's still buggy and/or documentation is
incorrect: https://issues.apache.org/bugzilla/show_bug.cgi?id=35256
("%2F will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes
says no decoding will be done)")
I also could not find a reason why it is a security issue (except
ironically because only Apache does this so it allows detecting that
some site is running on Apache!), maybe we should ask the Apache people?
IMHO it is not really safe to rely on Apache or even other other servers
doing this properly, so I suggest we keep our "^-encoding" method (cf.
org.wyona.yanel.core.util.HttpServletRequestHelper#decodeURIinURLpath[1]
for the decoder).
For Yanel this would mean we should provide a corresponding '^-version'
of
org.wyona.yanel.core.util.PathUtil#getResourcesHtdocsPathURLencoded[2]
probably with a different signature (I'd suggest
getResourcesHtdocsPath(Resource resource, final char escapeCharacter)).
I have had a (draft, untested) implementation of this sleeping on my
local work hard drive for some time...
[1]:
http://svn.wyona.com/repos/public/yanel/trunk/src/core/java/org/wyona/yanel/core/util/HttpServletRequestHelper.java
[2]:
http://svn.wyona.com/repos/public/yanel/trunk/src/core/java/org/wyona/yanel/core/util/PathUtil.java
And I think we should deprecated the other methods (not-encoded and
URL-encoded one).
WDYOT?
More information about the Yanel-development
mailing list