Hi,
Apache 1.3.3 rejects an escaped '/' in all URLs - even if its an
argument to a CGI script. So for example, in the default distribution the
following would work:
http://serverhost/cgi-bin/printenv/a/a/
while the following would not:
http://serverhost/cgi-bin/printenv/a%2fa/
Notice that the '/' has been encoded into '%2f' in the second URL. I do not
understand why Apache insists on discarding URLs where a '/' is encoded into
'%2f'. I filed a bug report and the reason quoted by the maintainers was that
they don't want unsuspecting CGI scripts from unknowingly allow the '%2f' where
a '/' would have failed. I have two objections to this:
1) Firstly the webserver unescapes all arguments to the CGI script before
invoking it - hence the CGI won't see a '%2f' in the first place.
2) The Apache maintainers are trying to violate a very basic rule - separation
of mechanism and policy. Rather than providing the mechanism, they're
enforcing the policy of not accepting '%2f'.
The reason I want this restriction removed is because there is software out
there that escapes all arguments to CGI scripts - even '/'. This software
completely fails with Apache - an example is the Tech Report server software
called Dienst available from http://www.ncstrl.org/ and used by most major
Universities.
- Mohit