Bug 64607

Summary: RewriteRule: Incorrect description for the NoEscape flag
Product: Apache httpd-2 Reporter: Bram <bram-ncnpur>
Component: DocumentationAssignee: HTTP Server Documentation List <docs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Bram 2020-07-16 10:43:34 UTC 
Documentation for the NoEscape RewriteRule flag:
https://httpd.apache.org/docs/trunk/rewrite/flags.html#flag_ne 

> By default, special characters, such as & and ?, for example, will be converted to their hexcode equivalent. Using the [NE] flag prevents that from happening. 

Testing this however shows that this does *not* happen for the '&' character.

Digging into the code: as far as I can tell it either ends up in:

* modules/proxy/proy_util.c: ap_proxy_canonenc or
* server/util.c: ap_os_escape_path (which uses a list generated by server/gen_test_char.c)

Both of these treat the '&' as an allowed character in a path.

For reference: list of characters that are treated as allowed (and are thus never converted to their hexcode equivalent):
* alphanumeric characters
* characters: "$-_.+!*'(),:;@&=/~"

As a minimum I would drop the reference to '&' in the description since it's incorrect.
I suppose it could be replaced with another character (such as '{') or as an alternative list the characters that are allowed.

I.e. something like:

> By default, special characters(*) will be converted to their hexcode equivalent. Using the [NE] flag prevents that from happening. 
> (*): special characters: characters that are *not*:
> - alphanumeric characters,
> - '$',
> - '-',
> - '_',
> - ...