#44 ✓wontfix

Rack::File and Rack::Directory double urldecode?

Reported by Adam | April 4th, 2009 @ 06:03 PM


I've been playing with Rack on Passenger for a couple days - it's very cool.

In playing I noticed that both Rack::File and Rack::Directory call Rack::Utils.unescape on env['PATH_INFO'].

From what I can tell, env['PATH_INFO'] is already unescaped before it's handed to any rack middleware or app.

Is this something passenger is doing that it shouldn't be, or is this a bug in Rack::File and company?

The result of this is that any PATH_INFO with a % in it gets double unescaped, leading Rack::File to reference the wrong thing.

For example: requesting /fo%2521do PATH_INFO: /fo%21do second escape (what Rack::File does) yields: /fo!do

Comments and changes to this ticket

  • Adam

    Adam April 4th, 2009 @ 06:05 PM

    • Tag set to path_info, security
  • Adam

    Adam April 4th, 2009 @ 06:10 PM

    Just did a bit of googling, according to the CGI 1.1 spec, PATH_INFO should already be decoded:


    """ PATH_INFO

    The extra path information, as given by the client. In other words, scripts can be accessed by their virtual pathname, followed by extra information at the end of this path. The extra information is sent as PATH_INFO. This information should be decoded by the server if it comes from a URL before it is passed to the CGI script. """

  • josh

    josh August 3rd, 2009 @ 03:34 PM

    • State changed from “new” to “wontfix”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

People watching this ticket

Referenced by