Using URLs as resource IDs: how to make work with Apache/Passenger?

I have a resource whose public ID is a URL. The resulting URLs look like
this

  http://my-app.com/things/http%3A%2F%2Fexample.com/foo.png

I make sure manually, that "." in URLs are encoded as "%2E". The route
looks like this

  get 'things/:url' => 'things#show'

This works just fine with Mongrel, but it does not work with Apache and
Passenger. The request doesn't even get through to my app, I only get a
404 response and a corresponding entry in

/var/log/apache2/other_vhosts_access.log

There is nothing in the app's log. The problem appears to be caused by
the "/" in the :url parameter, even though they are encoded as "%2F".

I'd prefer if I didn't have to read through all the ActionPack and Rack
routing code to understand what's happening and find a remedy. It must
be possible to do this cleanly.

Michael

Tricky issue. To fix, enable AllowEncodedSlashes in Apache:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

jeremy

[...]

> There is nothing in the app's log. The problem appears to be caused
> by the "/" in the :url parameter, even though they are encoded as
> "%2F".
>
> I'd prefer if I didn't have to read through all the ActionPack and
> Rack routing code to understand what's happening and find a
> remedy. It must be possible to do this cleanly.

Tricky issue. To fix, enable AllowEncodedSlashes in Apache:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

Thanks, Jeremy, that's been very helpful. In combination with route
globbing, i.e.

  get 'things/*url' => 'things#show'

the intended controller action is called. Curiously, consecutive slashes
are collapsed somewhere in parameter processing, so that "http://foo"
becomes "http:/foo". Well, I can work around that, though, of course I'd
prefer if I didn't have to.

Are there any security implications of enabling AllowEncodedSlashes? I
figure there must be a reason that they are not enabled by default.

Michael