Mangling of whitespaces in URL is not consistent across deployments
(1.1) By george on 2021-03-31 11:45:46 edited from 1.0 [source]
While verifying links in the comment of
my own check-in
I discovered that
fossil-scm.org substitutes white-spaces
in the URL's path with underscores.
Such behavior differs from
fossil ui and from my
deployment via Nginx.
The issue might be in Althttpd
which presumably runs the
With Firefox and Linux I've got the following:
|1||/wiki/To Do List||+||+||-|
|5||/wiki?name=To Do List||+||+||+|
Please consider the above (site-local) links and comment on my findings (it may help to know the outcome from other browsers and/or OSs).
(2) By sean (jungleboogie) on 2021-03-31 15:16:27 in reply to 1.1 [link] [source]
I agree in that it's probably a small issue with althttpd:
The document /hello_world is not available on this server
(3) By Richard Hipp (drh) on 2021-03-31 15:40:18 in reply to 2 [link] [source]
Althttpd deliberately does not allow spaces or other unusual characters in the URLs. That is a security feature. It is by design. See the "Security Features" subheading on the Althttpd homepage.
(4) By sean (jungleboogie) on 2021-03-31 16:44:17 in reply to 3 [link] [source]
It is by design.
Makes sense to me.
From the link:
Within the request URI, all characters other than alphanumerics and ",-./:~" are converted into a single "_".
Should the URL in the browser fill in spaces with
(5) By george on 2021-03-31 17:29:07 in reply to 4 [link] [source]
... does not allow spaces ...
> Makes sense to me.
I would be thankful for an explanation of the attack that could be mountable if spaces were allowed. As far as I know spaces cause troubles only in the contexts of shells (bash et.al). Althttpd is a pure C program.
(6) By Richard Hipp (drh) on 2021-03-31 18:00:16 in reply to 5 [link] [source]
Spaces in URL pathnames might cause problems for CGI scripts. A well-written CGI script should be able to handle spaces in pathnames. But not all CGI scripts are well-written. And even those that are sometimes contain subtle bugs. Eliminating the use of unusual characters in URL pathnames reduces the attack surface and thus makes writing "safe" applications easier and less stressful.