From: Daniel Earl Poirier
Consider the following changes to take advantage of the new
- APLOG_TRACE1..8 log levels:
+ APLOG_TRACE1..8 log levels:
APLOG_DEBUG and
consider if one of the APLOG_TRACEn levels is
@@ -301,7 +301,7 @@
configured log level, use the APLOGtracen
and APLOGrtracen macros to first check
if tracing is enabled.Modules sometimes add process id and/or thread id to their log messages. These ids are now logged by default, so it may not @@ -413,6 +413,7 @@
ap_args_to_table() would be
helpful.ap_pool_cleanup_set_null().text/plain or text/html
| Description: | Determines whether encoded path separators in URLs are allowed to be passed through |
|---|---|
| Syntax: | AllowEncodedSlashes On|Off |
| Syntax: | AllowEncodedSlashes On|Off|NoDecode |
| Default: | AllowEncodedSlashes Off |
| Context: | server config, virtual host |
| Status: | Core |
| Module: | core |
| Compatibility: | Available in Apache httpd 2.0.46 and later |
| Compatibility: | Available in Apache httpd 2.0.46 and later. +NoDecode option available in 2.3.12 and later. |
The AllowEncodedSlashes directive allows URLs
which contain encoded path separators (%2F for /
and additionally %5C for \ on according systems)
- to be used. Normally such URLs are refused with a 404 (Not found) error.
With the default value, Off, such URLs are refused
+ with a 404 (Not found) error.
With the value On, such URLs are accepted, and encoded
+ slashes are decoded like all other encoded characters.
With the value NoDecode, such URLs are accepted, but
+ encoded slashes are not decoded but left in their encoded state.
Turning AllowEncodedSlashes On is
mostly useful when used in conjunction with PATH_INFO.
Allowing encoded slashes does not imply decoding.
- Occurrences of %2F or %5C (only on
- according systems) will be left as such in the otherwise decoded URL
- string.
If encoded slashes are needed in path info, use of NoDecode is
+ strongly recommended as a security measure. Allowing slashes
+ to be decoded could potentially allow unsafe paths.