Rack::File and Rack::Directory double urldecode?
Reported by Adam | April 4th, 2009 @ 06:03 PM
Hi,
I've been playing with Rack on Passenger for a couple days - it's very cool.
In playing I noticed that both Rack::File and Rack::Directory call Rack::Utils.unescape on env['PATH_INFO'].
From what I can tell, env['PATH_INFO'] is already unescaped before it's handed to any rack middleware or app.
Is this something passenger is doing that it shouldn't be, or is this a bug in Rack::File and company?
The result of this is that any PATH_INFO with a % in it gets double unescaped, leading Rack::File to reference the wrong thing.
For example: requesting /fo%2521do PATH_INFO: /fo%21do second escape (what Rack::File does) yields: /fo!do
Comments and changes to this ticket
-
Adam April 4th, 2009 @ 06:05 PM
- Tag set to “path_info, security”
-
Adam April 4th, 2009 @ 06:10 PM
Just did a bit of googling, according to the CGI 1.1 spec, PATH_INFO should already be decoded:
http://hoohoo.ncsa.uiuc.edu/cgi/...
""" PATH_INFO
The extra path information, as given by the client. In other words, scripts can be accessed by their virtual pathname, followed by extra information at the end of this path. The extra information is sent as PATH_INFO. This information should be decoded by the server if it comes from a URL before it is passed to the CGI script. """
-
josh August 3rd, 2009 @ 03:34 PM
- State changed from “new” to “wontfix”
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Adam
josh
Referenced by
-
104
PATCH: FastCGI handler should not bind to a TCPSocket when a File option is given to it
Patch is also available on my github branch for issue #44...