[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: epoch fix?

On Wed, May 08, 2013 at 11:55:48AM +0200, Adam Borowski wrote:
> A test case (in a directory you can see via http://angband.pl/tmp/):
> for x in : %3A %3a; do echo "$x" >"foo${x}bar";done
> echo ok >baz%3Aquux
> Let's try to access a file with % :
> wget -q -O- http://angband.pl/tmp/foo%3Abar
> :
> -- should be %3A !
> But, perhaps Apache tests both?  Let's see:
> wget http://angband.pl/tmp/baz%3Aquux
> --2013-05-08 11:45:22--  http://angband.pl/tmp/baz%3Aquux
> Resolving angband.pl (angband.pl)... 2a03:9300:10::8,
> Connecting to angband.pl (angband.pl)|2a03:9300:10::8|:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2013-05-08 11:45:22 ERROR 404: Not Found.
> Nope.
> And serving .deb files via http isn't exactly a fringe use case...

URL encoding is well-known and works quite well. It does not interfere
with percent signs in filenames at all. On your server, the name of the
file on disk is "foo%3Abar": the sequence of letters is 'f', 'o', 'o',
'%', '3', 'A', 'b', a', 'r'. When used in a URL, this gets encoded as
"foo%253Abar". When the HTTP server receives the URL, it decodes it
and gets back "foo%3Abar".

The wget example you gave did not URL encode the filename. This meant
that the HTTP server decodes the un-encoded filename. That's a bug
in your URL construction.

The correct URL to give wget is http://angband.pl/tmp/foo%253Abar
and indeed that is the URL that Apache gives you when you click
the file in the directory listing, or use "Copy Link Location" in
Firefox's popup menu.

For more information, see https://en.wikipedia.org/wiki/URL_encoding
or the relevant RFCs linked from that.

http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers

Reply to: