Win2k3 Apache 2.2.4 PHP 5.2.0 (apache2handler) Mediawiki 1.9.0 On every mediawiki URLs containing a ":" character, I get the following error from Apache. [Tue Jan 23 09:18:05 2007] [error] [client xx.xx.xx.xx] (20024)The given path misformatted or contained invalid characters: Cannot map GET /wiki/index.php/Special:Recentchanges HTTP/1.1 to file, referer: http://myserver.com/wiki/index.php?title=Main_Page Is it normal?
It's not just Mediawiki that does it, any random page with a colon in it will cause the error. Furthermore, the url does not have to correspond to any file or service on the computer. Error messages are as follows: [Sat Feb 17 12:55:50 2007] [error] [client 127.0.0.1] (20024)The given path misformatted or contained invalid characters: Cannot map GET /wiki/Special:Specialpages HTTP/1.1 to file, referer: http://127.0.0.1/wiki/Main_Page [Sat Feb 17 23:39:40 2007] [error] [client 127.0.0.1] (20024)The given path misformatted or contained invalid characters: Cannot map GET /testing:colons:and:stuff HTTP/1.1 to file
The underlying idea was to prevent people from referencing DOS style device names, e.g. C: which could create havoc Unfortunately, MediaWiki started out life on Linux / Unix platforms, and they decided to use colons for namespaces. Can we get an Apache httpd.conf option which allows us to selectively switch off this warning, maybe according to regex matching of the URL path (or even just the virtual path prefix) ?
While device names could be a small problem, the more treacherous problem is NTFS data streams - as described in http://support.microsoft.com/kb/105763 These are prone to misuse. Apache 2.2 (actually the APR test_safe_name() function) intentionally disallows the ":" character within a URI on Windows. Also, the Windows FindFirstFile() function will return ERROR_INVALID_NAME instead of ERROR_FILE_NOT_FOUND for any name attempting data stream access using the ":" character. The choice of the ":" character as the namespace separator in MediaWiki was an unfortunate one for use on Windows.
setup: WinXP, Apache 2.2.4 url: "http://localhost/:" (anything with a colon) browser: Forbidden You don't have permission to access /: on this server. error.log: (20024)The given path misformatted or contained invalid characters: Cannot map GET /: HTTP/1.1 to file these urls also cause "Forbidden": url: "http://localhost/ /" (any only-space path segment) url: "http://localhost/ ?" url: "http://localhost/ #" .htaccess: RewriteEngine On RewriteRule ^.*$ index.html [L] ..if only the filename safety check didn't come to play before the mod_rewrite..
Crazy question, did you try a [PT] rewrite rule to knock out the offending ':'?
My fixing, recompiled libapr and replaced libarp-1.dll in my apache. char tmpname[APR_FILE_MAX * 3 + 1]; HANDLE hFind; if ((rv = test_safe_name(fname)) != APR_SUCCESS) { return APR_FROM_OS_ERROR(ERROR_FILE_NOT_FOUND); //rv; } hFind = FindFirstFileW(wfname, &FileInfo.w); if (hFind == INVALID_HANDLE_VALUE) return APR_FROM_OS_ERROR(ERROR_FILE_NOT_FOUND); //apr_get_os_error(); FindClose(hFind); if (unicode_to_utf8_path(tmpname, sizeof(tmpname), FileInfo.w.cFileName)) { return APR_ENAMETOOLONG; } filename = apr_pstrdup(pool, tmpname);
I think the issue here is that ':' in the original URI always causes the warning, even when the URI is eventually rewritten to another one without the ':'. The warning simply needs to be downgraded to a debug message (which is normally suppressed) or removed altogether. Or there needs to be a flag to turn it off.
Windows XP, apache 2.2.4 http://host/foo:bar, http://host/foo%3Abar, http://host/%F0%FF -- not working ((22)Invalid argument: Cannot map GET /%F0%FF HTTP/1.1 to file) but http://host/zoo/foo:bar, http://host/zoo/foo%3Abar, http://host/zoo/%F0%FF works fine
Comment 8 has nothing to do with this report; please don't confuse bugs by layering on multiple issues. To the commentor - it fails because httpd on win32 requires you to specific non-ASCII filenames in UTF-8, corresponding to the Unicode filesystem of Win32.
Confirming that problem still exists in Apache 2.2.8 (PHP 5.2.5) on Windows 2003 Server. It would be great to have some way to turn this off so it doesn't spam the error.log....
Confirming that problem still exists in Apache 2.2.11 (PHP 5.2.8) on Windows 2003 Server. Error log: [Mon Jan 26 20:53:45 2009] [error] [client 10.x.x.x] (20024)The given path is misformatted or contained invalid characters: Cannot map GET /mwiki/index.php/Special:SpecialPages HTTP/1.1 to file, referer: http://ssdev.student.stanmore.ac.uk/mwiki/index.php/User_talk:WikiSysop
(In reply to comment #4) > RewriteEngine On > RewriteRule ^.*$ index.html [L] > > > ..if only the filename safety check didn't come to play before the mod_rewrite.. > Have you tried without htaccess? It makes your rules run much later, where they can't suppress the "translate_name" in the core of apache.
Windows 7 Apache 2.2.11 Same problem with "|" character. and it's need a third level to overcome bug: http://host/foo|bar -Forbidden http://host/soo/foo|bar -Forbidden http://host/too/soo/foo|bar -Norm
On Windows Vista Apache 2.2.14, these urls also cause "Forbidden": http://localhost/n\ http://localhost/n\n http://localhost/n/n\ http://localhost/n/n\n http://localhost/n/n/n/n/n/n/n\n
Folks, this won't be addressed until httpd learns the concept of "not a file" resource, al la contextual DocumentRoot per Location/VirtualHost. E.g. a proxy-only namespace, or something run exclusively through a special handler. Congratulations for choosing Win32 and we are pleased to provide that port. However, the same porters would strongly encourage you to choose a system with fewer potential naming-related security issues if you must work around these issues. httpd is at the mercy of the underlying filesystem.
WRT comment #14, Zéfling, see AllowEncodedSlashes and AcceptPathInfo; we suspect yours is a simple misconfiguration or unusual assumptions. However, in httpd the backslash is not a pathname separator, and the file handler will not accept it as such. As an argument to your cgi script, it is accepted.
(In reply to William A. Rowe Jr. from comment #15) > Folks, this won't be addressed until httpd learns the concept of "not a file" > resource, al la contextual DocumentRoot per Location/VirtualHost. E.g. a > proxy-only namespace, or something run exclusively through a special handler. Why is that?
This persists in httpd 2.4.25. The NTFS feature in question is called alternate data streams: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ In short, with NTFS a file's contents constitutes its default data stream. But other data streams can be stored in file metadata. These streams are named. For example, "C:\file.txt:history" would refer to the data stream called "history" of the file C:\file.txt. William, why was this marked as resolved?