Bug 64607 - RewriteRule: Incorrect description for the NoEscape flag
Summary: RewriteRule: Incorrect description for the NoEscape flag
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-16 10:43 UTC by Bram
Modified: 2020-07-16 10:43 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bram 2020-07-16 10:43:34 UTC 
Documentation for the NoEscape RewriteRule flag:
https://httpd.apache.org/docs/trunk/rewrite/flags.html#flag_ne 

> By default, special characters, such as & and ?, for example, will be converted to their hexcode equivalent. Using the [NE] flag prevents that from happening. 

Testing this however shows that this does *not* happen for the '&' character.

Digging into the code: as far as I can tell it either ends up in:

* modules/proxy/proy_util.c: ap_proxy_canonenc or
* server/util.c: ap_os_escape_path (which uses a list generated by server/gen_test_char.c)

Both of these treat the '&' as an allowed character in a path.

For reference: list of characters that are treated as allowed (and are thus never converted to their hexcode equivalent):
* alphanumeric characters
* characters: "$-_.+!*'(),:;@&=/~"

As a minimum I would drop the reference to '&' in the description since it's incorrect.
I suppose it could be replaced with another character (such as '{') or as an alternative list the characters that are allowed.

I.e. something like:

> By default, special characters(*) will be converted to their hexcode equivalent. Using the [NE] flag prevents that from happening. 
> (*): special characters: characters that are *not*:
> - alphanumeric characters,
> - '$',
> - '-',
> - '_',
> - ...