Re: format strings in deny_info?

From: Gerard Eviston <>
Date: Wed, 4 Jun 2003 00:01:38 +1000

On Mon, 2 Jun 2003 23:23, Henrik Nordstrom wrote:
> Looking reasonable, but data inserted into URLs need to be URL escaped
> with rfc1738_escape_part() (not rfc1738_escape) before it is inserted
> into the URL or else there will be issues in most uses.. while data
> inserted into error pages need to be escaped by rfc1738_escape().

Thanks Henrik. I've attached a slightly modified patch that escapes only the
substituted data with rfc1738_escape_part(). I understand now why
rfc1738_escape_part() is needed instead of rfc1738_escape(), but as for
escaping data before it is inserted in the URL- is this so squid can assume
that the deny_info url (the part without the format strings) is already

Eg: deny_info http://myserver/test.cgi?[E=%E] myacl
Original patch: http://myserver/test.cgi?%5bE=%5bNo%20Error%5d%5d
New patch: http://myserver/test.cgi?[E=%5bNo%20Error%5d]

Also, data in error pages is already escaped with html_quote() if required. I
haven't changed that behaviour.


Received on Tue Jun 03 2003 - 07:56:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:06 MST