Fossil Forum

Mangling of whitespaces in URL is not consistent across deployments

Mangling of whitespaces in URL is not consistent across deployments

(1.1) By george on 2021-03-31 11:45:46 edited from 1.0 [source]

While verifying links in the comment of my own check-in I discovered that substitutes white-spaces in the URL's path with underscores.
Such behavior differs from fossil ui and from my deployment via Nginx.

The issue might be in Althttpd which presumably runs the site.

With Firefox and Linux I've got the following:

# Link Local Nginx Althttpd
1 /wiki/To Do List + + -
2 /wiki/To+Do+List + + -
3 /wiki/To%20Do%20List + + -
4 /wiki/To_Do_List - - -
5 /wiki?name=To Do List + + +
6 /wiki?name=To+Do+List + + +
7 /wiki?name=To%20Do%20List + + +
8 /wiki?name=To_Do_List - - -

Please consider the above (site-local) links and comment on my findings (it may help to know the outcome from other browsers and/or OSs).

(2) By sean (jungleboogie) on 2021-03-31 15:16:27 in reply to 1.1 [link] [source]

I agree in that it's probably a small issue with althttpd: world

The document /hello_world is not available on this server

(3) By Richard Hipp (drh) on 2021-03-31 15:40:18 in reply to 2 [link] [source]

Althttpd deliberately does not allow spaces or other unusual characters in the URLs. That is a security feature. It is by design. See the "Security Features" subheading on the Althttpd homepage.

(4) By sean (jungleboogie) on 2021-03-31 16:44:17 in reply to 3 [link] [source]


It is by design.

Makes sense to me.

From the link: Within the request URI, all characters other than alphanumerics and ",-./:~" are converted into a single "_".

Should the URL in the browser fill in spaces with _ ?

(5) By george on 2021-03-31 17:29:07 in reply to 4 [link] [source]

... does not allow spaces ...
> Makes sense to me.

I would be thankful for an explanation of the attack that could be mountable if spaces were allowed. As far as I know spaces cause troubles only in the contexts of shells (bash Althttpd is a pure C program.

(6) By Richard Hipp (drh) on 2021-03-31 18:00:16 in reply to 5 [link] [source]

Spaces in URL pathnames might cause problems for CGI scripts. A well-written CGI script should be able to handle spaces in pathnames. But not all CGI scripts are well-written. And even those that are sometimes contain subtle bugs. Eliminating the use of unusual characters in URL pathnames reduces the attack surface and thus makes writing "safe" applications easier and less stressful.