Bug#421820: ap_escape_uri() doesn't escape &-sign

To: Thibaut VARENE <varenet@debian.org>, 421820-quiet@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>, 421820@bugs.debian.org, 421820-submitter@bugs.debian.org
Subject: Bug#421820: ap_escape_uri() doesn't escape &-sign
From: Matthijs ten Berge <m.h.tenberge@alumnus.utwente.nl>
Date: Wed, 09 May 2007 22:20:24 +0200
Message-id: <[🔎] 46422D08.80800@alumnus.utwente.nl>
Reply-to: Matthijs ten Berge <m.h.tenberge@alumnus.utwente.nl>, 421820@bugs.debian.org
In-reply-to: <[🔎] 7d01f9f00705091157m1f46aca5o8b73fd212d3c43d2@mail.gmail.com>
References: <[🔎] 200705091909.42913.sf@sfritsch.de> <[🔎] 7d01f9f00705091032u6c6365e2s43a25953eae7b6e7@mail.gmail.com> <[🔎] 200705092050.23490.sf@sfritsch.de> <[🔎] 7d01f9f00705091157m1f46aca5o8b73fd212d3c43d2@mail.gmail.com>

Thibaut VARENE wrote:
> On 5/9/07, Stefan Fritsch <sf@sfritsch.de> wrote:
> So I guess my code is ok, apache is OK and to get back to the
> submitter's issue, the issue lies in php? That would be fine by me,
> since my module seems to work fine as is anyway ;-)
> 
> Thanks
> 
> T-Bone

Hi all,

So the conclusion so far is that it is OK to have an &-sign unencoded in
the path part of the URL (I didn't know that, sorry Thibaut).

With that point clear, the question is where it *does* go wrong... (am I
allowed to continue here, or should this move to a mailing list or so?).

So the file URLs are ok. My next step is some URL rewriting:

<Directory "/var/www-test/music/">
Options             Indexes MultiViews FollowSymlinks
AllowOverride       Indexes
# Can be overridden in .htaccess:
MusicIndex          On -Stream +Download +Search -Rss -Tarball
MusicSortOrder      title artist
MusicFields         filename title artist album length bitrate
MusicPageTitle      Test web-archive
MusicDefaultCss     musicindex.css
# Can only be set in apache configuration:
MusicDefaultDisplay HTML
MusicIndexCache     file://tmp/musicindex
MusicCookieLife     300
MusicDirPerLine     3
RewriteEngine On
RewriteBase /test/music
RewriteRule (.*)\.mp3$ /test/.downloadmp3.php?url=music/$1 [nocase]
</Directory>

It is clear that the .downloadmp3.php script doesn't get the url
parameter correctly, as the &-sign splits the argument.
To test the script, I replaced the contents of .downloadmp3.php with:

<?
echo "filename: ".$_REQUEST['url']."\n";
?>

which displays anything up to the first &-sign in the path :-(

For completeness: the real script is as follows (it forces a
save-to-disk dialog at the client side):

<?
$fileHandle = $_REQUEST['url'].'.mp3';
if (file_exists($fileHandle) == false)
    die("Cannot find the file \"". $fileHandle . "\". Please contact the
system administrator.");
$size=filesize($fileHandle);
header('HTTP/1.1 200 OK');
header('Date: ' . date("D M j G:i:s T Y"));
header('Last-Modified: ' . date("D M j G:i:s T Y"));
header("Content-Type: audio/mp3");
header("Content-Length: " . (string)($size) );
header("Content-Transfer-Encoding: Binary");
header('Content-Disposition: attachment;
filename="'.basename(urldecode($_REQUEST['url'])).'.mp3"' );
readfile($fileHandle);
?>


My guess is that things go wrong at the URL rewriting phase. Am I right?

Thanks,

Matthijs

Reply to:

References:
- Bug#421820: ap_escape_uri() doesn't escape &-sign
  - From: Stefan Fritsch <sf@sfritsch.de>
- Bug#421820: ap_escape_uri() doesn't escape &-sign
  - From: "Thibaut VARENE" <varenet@debian.org>
- Bug#421820: ap_escape_uri() doesn't escape &-sign
  - From: Stefan Fritsch <sf@sfritsch.de>
- Bug#421820: ap_escape_uri() doesn't escape &-sign
  - From: "Thibaut VARENE" <varenet@debian.org>

Prev by Date: Processed: reassign 421820 to apache2 ...
Next by Date: Processed: tagging 418925
Previous by thread: Re: Bug#421820: ap_escape_uri() doesn't escape &-sign
Next by thread: Processed: reassign 421820 to apache2 ...
Index(es):
- Date
- Thread