Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.0.0RC8

Bug #12283 Double urldecode causes problems with filenames that have % or +
Submitted: 2007-10-19 16:07 UTC
From: bklang Assigned: hholzgra
Status: Closed Package: HTTP_WebDAV_Server (version 1.0.0RC4)
PHP Version: Irrelevant OS: All
Roadmaps: 1.0    

 [2007-10-19 16:07 UTC] bklang (Ben Klang)
Description: ------------ I am working on a script which allows browsing a filesystem. I noticed that when requesting filenames that contained a certain combination of characters (notably %40 or +), the file name presented to my application had been modified. This is not a mistake: the file names themselves had a character sequence which could be mistaken for a urlencoded string. After researching, I found that that Server.php contained a call to urldecode the $_SERVER['PATH_INFO'] string. Because the CGI1.1 specification[1] requires that the HTTP server present an already decoded URL to the controlling script, this is causing a double decoding of PATH_INFO and thus the request becomes invalid. My suggestion would be to remove the _urldecode() function (starting at line 1971) and the call to _urldecode($path_info) on line 155 in the ServeRequest() method of Server.php. This is the only place in Server.php that _urldecode() is called. The call to urldecode() should also be removed from line 1470 in the _copymove() method. [1]:


 [2008-04-23 02:55 UTC] hholzgra (Hartmut Holzgraefe)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on by the end of next Sunday (CET). If this was a problem with the website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.