Bug 39739 - mod_rewrite: Unable to URL-encode path data when transfering into query string
Summary: mod_rewrite: Unable to URL-encode path data when transfering into query string
Status: RESOLVED DUPLICATE of bug 32328
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.0.54
Hardware: All other
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2006-06-07 00:01 UTC by Neil Mix
Modified: 2007-01-25 19:03 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Neil Mix 2006-06-07 00:01:29 UTC
It is unsafe to use a mod-rewrite rule that transfers a portion of the path into the query string.  This is 
because it is not possible to encode the matching portion of the path to be a safe query value.  For 
example, if I wanted to rewrite:
  proxy:http://www.domain.com/blah?arg=bar%2Bbaz [last]
I'm out of luck because it is impossible to translate the '+' in the path into it's query-string-safe 
equivalent, '%2B'.  As a result, the destination server will decode the query arg into "bar baz", removing 
the '+'.

According to the documentation, I can escape URLs using the RewriteMap directive:

  RewriteMap escape int:escape
  RewriteRule /foo/(.*) proxy:http://www.domain.com/blah?arg=${escape:$1} [last]

However, this doesn't work because the escape method doesn't do what one would expect based on 
casual reading of the docs.  The escape method is a pass-through to ap_escape_uri, which in turn is a 
macro for ap_os_escape_path.  The docs could reasonably lead one to believe that the escape method 
makes a string safe for use in a query string (i.e. url-encodes the string).  Instead, it makes the string 
safe for use as part of a file name.  (I think.)  Several query-string-unsafe characters are not encoded by 
this method, and the set of encoded characters varies from platform to platform.

I would recommend a fix that augments mod_rewrite's list of internal map functions.  First, deprecate 
int:escape.  Next, create int:escape_path which does the same thing that the deprecated int:escape 
does.  Last, create int:escape_query which url-encodes the value for safe use as a query-string value.

If there is general agreement that this is the correct fix but developer resources are lacking, let me 
know (or re-assign to me) and I can take a stab at creating a patch.  (Although it may be a long while in 
Comment 1 Bob Ionescu 2007-01-25 19:03:10 UTC

*** This bug has been marked as a duplicate of 32328 ***