Bug 41441 - Error 20024 on all pages request containing a ":"
Error 20024 on all pages request containing a ":"
Status: RESOLVED WONTFIX
Product: Apache httpd-2
Classification: Unclassified
Component: All
2.5-HEAD
PC Windows Server 2003
: P2 normal with 13 votes (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-01-23 03:35 UTC by yann
Modified: 2014-02-17 13:43 UTC (History)
5 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description yann 2007-01-23 03:35:15 UTC
Win2k3
Apache 2.2.4
PHP 5.2.0 (apache2handler)
Mediawiki 1.9.0

On every mediawiki URLs containing a ":" character, I get the following error
from Apache.

[Tue Jan 23 09:18:05 2007] [error] [client xx.xx.xx.xx] (20024)The given path
misformatted or contained invalid characters: Cannot map GET
/wiki/index.php/Special:Recentchanges HTTP/1.1 to file, referer:
http://myserver.com/wiki/index.php?title=Main_Page

Is it normal?
Comment 1 Cameron Walsh 2007-02-17 04:58:29 UTC
It's not just Mediawiki that does it, any random page with a colon in it will
cause the error.  Furthermore, the url does not have to correspond to any file
or service on the computer.  Error messages are as follows:

[Sat Feb 17 12:55:50 2007] [error] [client 127.0.0.1] (20024)The given path
misformatted or contained invalid characters: Cannot map GET
/wiki/Special:Specialpages HTTP/1.1 to file, referer:
http://127.0.0.1/wiki/Main_Page

[Sat Feb 17 23:39:40 2007] [error] [client 127.0.0.1] (20024)The given path
misformatted or contained invalid characters: Cannot map GET
/testing:colons:and:stuff HTTP/1.1 to file
Comment 2 Jason Armistead 2007-03-09 11:24:40 UTC
The underlying idea was to prevent people from referencing DOS style device 
names, e.g. C: which could create havoc

Unfortunately, MediaWiki started out life on Linux / Unix platforms, and they 
decided to use colons for namespaces.

Can we get an Apache httpd.conf option which allows us to selectively switch 
off this warning, maybe according to regex matching of the URL path (or even 
just the virtual path prefix) ?
Comment 3 Tom Donovan 2007-09-18 19:50:35 UTC
While device names could be a small problem, the more treacherous problem is
NTFS data streams - as described in http://support.microsoft.com/kb/105763

These are prone to misuse.

Apache 2.2 (actually the APR test_safe_name() function) intentionally disallows
the ":" character within a URI on Windows. 

Also, the Windows FindFirstFile() function will return ERROR_INVALID_NAME
instead of ERROR_FILE_NOT_FOUND for any name attempting data stream access using
the ":" character.

The choice of the ":" character as the namespace separator in MediaWiki was an
unfortunate one for use on Windows.
Comment 4 Charlie Chernohorsky 2007-12-18 08:05:29 UTC
setup: WinXP, Apache 2.2.4

url: "http://localhost/:" (anything with a colon)
browser: Forbidden You don't have permission to access /: on this server.
error.log: (20024)The given path misformatted or contained invalid characters:
Cannot map GET /: HTTP/1.1 to file

these urls also cause "Forbidden":
url: "http://localhost/ /" (any only-space path segment)
url: "http://localhost/ ?"
url: "http://localhost/ #"

.htaccess:
RewriteEngine On
RewriteRule ^.*$ index.html [L]


..if only the filename safety check didn't come to play before the mod_rewrite..
Comment 5 William A. Rowe Jr. 2007-12-22 12:58:42 UTC
Crazy question, did you try a [PT] rewrite rule to knock out the offending ':'?
Comment 6 Hui Jin 2008-01-20 09:58:30 UTC
My fixing, recompiled libapr and replaced libarp-1.dll in my apache.

char tmpname[APR_FILE_MAX * 3 + 1];
HANDLE hFind;
if ((rv = test_safe_name(fname)) != APR_SUCCESS) {
    return APR_FROM_OS_ERROR(ERROR_FILE_NOT_FOUND); //rv;
}
hFind = FindFirstFileW(wfname, &FileInfo.w);
if (hFind == INVALID_HANDLE_VALUE)
    return APR_FROM_OS_ERROR(ERROR_FILE_NOT_FOUND); //apr_get_os_error();
FindClose(hFind);
if (unicode_to_utf8_path(tmpname, sizeof(tmpname), 
                         FileInfo.w.cFileName)) {
    return APR_ENAMETOOLONG;
}
filename = apr_pstrdup(pool, tmpname);
Comment 7 Rustam Abdullaev 2008-01-27 16:01:51 UTC
I think the issue here is that ':' in the original URI always causes the 
warning, even when the URI is eventually rewritten to another one without 
the ':'.
The warning simply needs to be downgraded to a debug message (which is normally 
suppressed) or removed altogether. Or there needs to be a flag to turn it off.
Comment 8 J Forumsky 2008-02-07 05:49:06 UTC
Windows XP, apache 2.2.4

http://host/foo:bar, http://host/foo%3Abar, http://host/%F0%FF -- not working 
((22)Invalid argument: Cannot map GET /%F0%FF HTTP/1.1 to file)

but

http://host/zoo/foo:bar, http://host/zoo/foo%3Abar, http://host/zoo/%F0%FF works
fine

Comment 9 William A. Rowe Jr. 2008-02-07 07:29:26 UTC
Comment 8 has nothing to do with this report; please don't confuse bugs by
layering on multiple issues.

To the commentor - it fails because httpd on win32 requires you to specific
non-ASCII filenames in UTF-8, corresponding to the Unicode filesystem of Win32.
Comment 10 Dan Barrett 2008-04-07 14:11:39 UTC
Confirming that problem still exists in Apache 2.2.8 (PHP 5.2.5) on Windows 2003 Server.

It would be great to have some way to turn this off so it doesn't spam the error.log....
Comment 11 Jago 2009-01-28 04:21:58 UTC
Confirming that problem still exists in Apache 2.2.11 (PHP 5.2.8) on Windows
2003 Server.

Error log:

[Mon Jan 26 20:53:45 2009] [error] [client 10.x.x.x] (20024)The given path is misformatted or contained invalid characters: Cannot map GET /mwiki/index.php/Special:SpecialPages HTTP/1.1 to file, referer: http://ssdev.student.stanmore.ac.uk/mwiki/index.php/User_talk:WikiSysop
Comment 12 Eric Covener 2009-01-28 05:01:39 UTC
(In reply to comment #4)
> RewriteEngine On
> RewriteRule ^.*$ index.html [L]
> 
> 
> ..if only the filename safety check didn't come to play before the mod_rewrite..
> 

Have you tried without htaccess? It makes your rules run much later, where they can't suppress the "translate_name" in the core of apache.
Comment 13 Aleksey Parshukov 2009-09-08 01:34:30 UTC
Windows 7 
Apache 2.2.11

Same problem with "|" character.

and it's need a third level to overcome bug:


http://host/foo|bar          -Forbidden
http://host/soo/foo|bar      -Forbidden
http://host/too/soo/foo|bar  -Norm
Comment 14 Zéfling 2009-12-01 01:52:47 UTC
On Windows Vista Apache 2.2.14, these urls also cause "Forbidden":

http://localhost/n\
http://localhost/n\n
http://localhost/n/n\
http://localhost/n/n\n
http://localhost/n/n/n/n/n/n/n\n
Comment 15 William A. Rowe Jr. 2009-12-01 02:30:31 UTC
Folks, this won't be addressed until httpd learns the concept of "not a file"
resource, al la contextual DocumentRoot per Location/VirtualHost.  E.g. a
proxy-only namespace, or something run exclusively through a special handler.

Congratulations for choosing Win32 and we are pleased to provide that port.
However, the same porters would strongly encourage you to choose a system with 
fewer potential naming-related security issues if you must work around these
issues.  httpd is at the mercy of the underlying filesystem.
Comment 16 William A. Rowe Jr. 2009-12-01 02:34:16 UTC
WRT comment #14, Zéfling, see AllowEncodedSlashes and AcceptPathInfo; we suspect
yours is a simple misconfiguration or unusual assumptions.  However, in httpd
the backslash is not a pathname separator, and the file handler will not
accept it as such.  As an argument to your cgi script, it is accepted.