Using URLs as resource IDs: how to make work with Apache/Passenger?

I have a resource whose public ID is a URL. The resulting URLs look like
this

http://my-app.com/things/http%3A%2F%2Fexample.com/foo.png

I make sure manually, that “.” in URLs are encoded as “%2E”. The route
looks like this

get ‘things/:url’ => ‘things#show’

This works just fine with Mongrel, but it does not work with Apache and
Passenger. The request doesn’t even get through to my app, I only get a
404 response and a corresponding entry in

/var/log/apache2/other_vhosts_access.log

There is nothing in the app’s log. The problem appears to be caused by
the “/” in the :url parameter, even though they are encoded as “%2F”.

I’d prefer if I didn’t have to read through all the ActionPack and Rack
routing code to understand what’s happening and find a remedy. It must
be possible to do this cleanly.

Michael


Michael S.
mailto:[email protected]
http://www.schuerig.de/michael/

On Tue, Sep 14, 2010 at 11:13 AM, Michael S. [email protected]
wrote:

routing code to understand what’s happening and find a remedy. It must
be possible to do this cleanly.

Tricky issue. To fix, enable AllowEncodedSlashes in Apache:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

jeremy

On Tuesday 14 September 2010, Jeremy K. wrote:

On Tue, Sep 14, 2010 at 11:13 AM, Michael S.
[email protected] wrote:
[…]

There is nothing in the app’s log. The problem appears to be caused
by the “/” in the :url parameter, even though they are encoded as
“%2F”.

I’d prefer if I didn’t have to read through all the ActionPack and
Rack routing code to understand what’s happening and find a
remedy. It must be possible to do this cleanly.

Tricky issue. To fix, enable AllowEncodedSlashes in Apache:
core - Apache HTTP Server Version 2.2

Thanks, Jeremy, that’s been very helpful. In combination with route
globbing, i.e.

get ‘things/*url’ => ‘things#show’

the intended controller action is called. Curiously, consecutive slashes
are collapsed somewhere in parameter processing, so that “http://foo
becomes “http:/foo”. Well, I can work around that, though, of course I’d
prefer if I didn’t have to.

Are there any security implications of enabling AllowEncodedSlashes? I
figure there must be a reason that they are not enabled by default.

Michael


Michael S.
mailto:[email protected]
http://www.schuerig.de/michael/