HTTP profiles¶

Apache2 (2.2.16-6+squeeze7)¶

wget <host>/files/abc works

access.log: /files/abc

wget <host>/f%69les/abc works

access.log: /f%69les/abc

wget <host>/f%2569les/abc fails: 404 for /f%69les/abc, so one decoding stage done

access.log: /f%2569les/abc

wget <host>/files%2fabc fails: 404 for /files/abc, so %2f conversion rejected for path, but decoded form used in 404 error

access.log: /files%2fabc

wget <host>/trac/search?q=test works, search for "test"

access.log: /trac/search?q=test

wget <host>/trac/search?q=t%65st works, search for "test"

access.log: /trac/search?q=t%65st

wget <host>/trac/search?q=t%2565st fails: Trac searches for "t%65st"

access.log: /trac/search?q=t%2565st

wget <host>/trac/search?q=t%2fst works, search for "t/st"

access.log: /trac/search?q=t%2fst

wget <host>/trac/search?q=t%252fst fails, search for "t%2fst"

access.log: /trac/search?q=t%252fst

It's unclear at this point if this conversion is done by Apache2 or python/trac.

- Leaves %2f in path untouched
- Normalizes in %2f query string to %2F
- Decodes/normalizes %252f in query string to %2F

Files (0)