Is a slash (“/”) equivalent to an encoded slash (“%2F”) in the path portion of an HTTP URL

From the data you gathered, I would tend to say that encoded “https://stackoverflow.com/” in an uri are meant to be seen as “https://stackoverflow.com/” again at application/cgi level.

That’s to say, that if you’re using apache with mod_rewrite for instance, it will not match pattern expecting slashes against URI with encoded slashes in it.
However, once the appropriate module/cgi/… is called to handle the request, it’s up to it to do the decoding and, for instance, retrieve a parameter including slashes as the first component of the URI.

If your application is then using this data to retrieve a file (whose filename contains a slash), that’s probably a bad thing.

To sum up, I find it perfectly normal to see a difference of behaviour in “https://stackoverflow.com/” or “%2F” as their interpretation will be done at different levels.

Leave a Comment