StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhy is it a security risk to allow encoded slashes in a URI?
primarykey
Id
5942780
data
AcceptedAnswerId
5944638
AnswerCount
2
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2011-05-09T21:37:52.277
FavoriteCount
5
LastActivityDate
2011-05-10T02:57:27.837
LastEditDate
2011-05-09T22:20:33.130
LastEditorUserId
144149
OwnerUserId
144149
ParentId
0
PostTypeId
1
Score
20
ViewCount
4522
LastEditorDisplayName
text
Body
I have a situation where I want encoded slashes in a URI (<code>%2F</code>), but my <code>.htaccess</code> rules are ignored when I make the request, sending me instead to a 404 page. I quickly found the Apache directive <a href="http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes" rel="noreferrer"><code>AllowEncodedSlashes</code></a>, which I plan to turn on, but I still don't understand why it's a security risk in the first place. Couldn't anyone manually transform the encoded slashes to real slashes, if they were trying to be nefarious? (Although I can't see what harm they could do...) The application I'm testing is written in PHP, and the mod_rewrite rule that interfaces with it looks like: <pre><code>RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^test/(.*)$ /test.php?_escaped_fragment_=$1 [NE,QSA,L] </code></pre> I just want to make sure I understand the risks before proceeding. <hr> To clarify: Apache does not allow encoded slashes in the path, but they are allowed in the query string. The query string is just as susceptible to the exploits listed by Christian below ("Remote Code Execution, Local File Access and Directory Traversal"). So why did the ASF go so far as to create a special directive just to allow this behavior? I'm not trying to be difficult, I just really don't understand. I think it goes without saying that any user input (including the URI) needs to be verified before using it in any database or file system function.
Tags
<php><apache><mod-rewrite>
Title
Why is it a security risk to allow encoded slashes in a URI?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USJKS
UserOwnerUserId
1. USJKS
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POWhy is it a security risk to allow encoded slashes in a URI?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POWhy is it a security risk to allow encoded slashes in a URI?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POWhy is it a security risk to allow encoded slashes in a URI?
 UserUserId
 USBurak Erdem
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.