Revert url decoding+simplifying before matching of mod_rewrite/mod_redirect

  - Lot of regressions (we forgot to reencode the result)
  - Generic problem: after decode and rewrite "a?b?c": which '?' was the path?query seperator?
  - Possible solution: only decode printable characters (without '?'), and encode the result; do not encode the '%' of a not decoded character.
  - Still a problem with path simplifying, it seems many people use urls like this: http://server1/http%3a//server2/xxx
    and rewrite the path into the querystring.
  - Probably only usable with an extra config option

  => Do NOT use rewrite/redirect to protect specific urls.


git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2362 152afb58-edef-0310-8abb-c4023f1b3aa9

2 files changed, 12 insertions, 0 deletions

diff --git a/doc/redirect.txt b/doc/redirect.txt
index cf7cd752..ec547317 100644
--- a/doc/redirect.txt
+++ b/doc/redirect.txt
@@ -39,3 +39,9 @@ url.redirect
     $HTTP["host"] =~ "^www\.(.*)" {
       url.redirect = ( "^/(.*)" => "http://%1/$1" )
     }
+
+Warning
+=======
+
+Do NOT use mod_redirect to protect specific urls, as the original url passed from the client
+is matched against your rules, for example strings like "/abc/../xyz%2f/path".
diff --git a/doc/rewrite.txt b/doc/rewrite.txt
index e4670223..a1390695 100644
--- a/doc/rewrite.txt
+++ b/doc/rewrite.txt
@@ -43,6 +43,12 @@ url.rewrite-repeat
 The options ``url.rewrite`` and ``url.rewrite-final`` were mapped to ``url.rewrite-once``
 in 1.3.16.
 
+Warning
+=======
+
+Do NOT use mod_rewrite to protect specific urls, as the original url passed from the client
+is matched against your rules, for example strings like "/abc/../xyz%2f/path".
+
 Examples
 ========