[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#421820: ap_escape_uri() doesn't escape &-sign

On Mittwoch, 9. Mai 2007, Thibaut VARENE wrote:
> On 5/9/07, Stefan Fritsch <sf@sfritsch.de> wrote:
> > > and then it ought to encode '&' as well in order to
> > > be RFC compliant.
> >
> > but this is not. Also, RFC1738 talks about UR*L*s, the later RFCs
> > talk about UR*I*s, and the function is called ap_escape_ur*i*().
> So I guess my code is ok, apache is OK and to get back to the
> submitter's issue, the issue lies in php? That would be fine by me,
> since my module seems to work fine as is anyway ;-)

I was tempted to agree and point to mod_rewrite's escape and unescape 
map functions, but those use ap_escape_uri :-(

So this should be considered a bug in mod_rewrite and has actually 
been reported upstream three times:


I will reassing this bug to apache2 since apache 1 will be removed 
from unstable soon.

Possible workarounds for the original submitter: 

- an external rewrite mapping program as suggested in the first of the 
three bug reports
- rewrite to /script.php/filename/and/path_with_&_blah_blubb.mp3 and 
try to extract the filename from php (I know that mod_perl makes the 
part after the script name available as "pathinfo", maybe php can do 
that as well)

To the Apache maintainers:

According to the second upstream bug report, Gentoo has included 
a "ampescape" internal map function for mod_rewrite that helps (but 
is not a complete solution). Should Debian include that as well?


Reply to: