Re: Bug#421820: ap_escape_uri() doesn't escape &-sign
On Mittwoch, 9. Mai 2007, Thibaut VARENE wrote:
> On 5/9/07, Stefan Fritsch <sf@sfritsch.de> wrote:
> > > and then it ought to encode '&' as well in order to
> > > be RFC compliant.
> >
> > but this is not. Also, RFC1738 talks about UR*L*s, the later RFCs
> > talk about UR*I*s, and the function is called ap_escape_ur*i*().
>
> So I guess my code is ok, apache is OK and to get back to the
> submitter's issue, the issue lies in php? That would be fine by me,
> since my module seems to work fine as is anyway ;-)
I was tempted to agree and point to mod_rewrite's escape and unescape
map functions, but those use ap_escape_uri :-(
So this should be considered a bug in mod_rewrite and has actually
been reported upstream three times:
http://issues.apache.org/bugzilla/show_bug.cgi?id=23295
http://issues.apache.org/bugzilla/show_bug.cgi?id=32328
http://issues.apache.org/bugzilla/show_bug.cgi?id=39739
I will reassing this bug to apache2 since apache 1 will be removed
from unstable soon.
Possible workarounds for the original submitter:
- an external rewrite mapping program as suggested in the first of the
three bug reports
- rewrite to /script.php/filename/and/path_with_&_blah_blubb.mp3 and
try to extract the filename from php (I know that mod_perl makes the
part after the script name available as "pathinfo", maybe php can do
that as well)
To the Apache maintainers:
According to the second upstream bug report, Gentoo has included
a "ampescape" internal map function for mod_rewrite that helps (but
is not a complete solution). Should Debian include that as well?
Cheers,
Stefan
Reply to: