[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#421820: ap_escape_uri() doesn't escape &-sign

Thibaut VARENE wrote:
> On 5/9/07, Stefan Fritsch <sf@sfritsch.de> wrote:
> So I guess my code is ok, apache is OK and to get back to the
> submitter's issue, the issue lies in php? That would be fine by me,
> since my module seems to work fine as is anyway ;-)
> Thanks
> T-Bone

Hi all,

So the conclusion so far is that it is OK to have an &-sign unencoded in
the path part of the URL (I didn't know that, sorry Thibaut).

With that point clear, the question is where it *does* go wrong... (am I
allowed to continue here, or should this move to a mailing list or so?).

So the file URLs are ok. My next step is some URL rewriting:

<Directory "/var/www-test/music/">
Options             Indexes MultiViews FollowSymlinks
AllowOverride       Indexes
# Can be overridden in .htaccess:
MusicIndex          On -Stream +Download +Search -Rss -Tarball
MusicSortOrder      title artist
MusicFields         filename title artist album length bitrate
MusicPageTitle      Test web-archive
MusicDefaultCss     musicindex.css
# Can only be set in apache configuration:
MusicDefaultDisplay HTML
MusicIndexCache     file://tmp/musicindex
MusicCookieLife     300
MusicDirPerLine     3
RewriteEngine On
RewriteBase /test/music
RewriteRule (.*)\.mp3$ /test/.downloadmp3.php?url=music/$1 [nocase]

It is clear that the .downloadmp3.php script doesn't get the url
parameter correctly, as the &-sign splits the argument.
To test the script, I replaced the contents of .downloadmp3.php with:

echo "filename: ".$_REQUEST['url']."\n";

which displays anything up to the first &-sign in the path :-(

For completeness: the real script is as follows (it forces a
save-to-disk dialog at the client side):

$fileHandle = $_REQUEST['url'].'.mp3';
if (file_exists($fileHandle) == false)
    die("Cannot find the file \"". $fileHandle . "\". Please contact the
system administrator.");
header('HTTP/1.1 200 OK');
header('Date: ' . date("D M j G:i:s T Y"));
header('Last-Modified: ' . date("D M j G:i:s T Y"));
header("Content-Type: audio/mp3");
header("Content-Length: " . (string)($size) );
header("Content-Transfer-Encoding: Binary");
header('Content-Disposition: attachment;
filename="'.basename(urldecode($_REQUEST['url'])).'.mp3"' );

My guess is that things go wrong at the URL rewriting phase. Am I right?



Reply to: