Review - URL-OVERLONG-UTF8

[remittor]

Test query:

GET /\xC0\xAF HTTP/1.1\r\n

Chain of Reasoning:

CVE-2000-0884 exploited exactly this pattern. Microsoft IIS on Windows decoded overlong UTF-8 sequences in URLs, allowing ..%c0%af.. to be interpreted as ../../.

Http11Probe/docs/content/docs/malformed-input/url-overlong-utf8.md

Line 74 in c938418

4. **CVE-2000-0884 exploited exactly this pattern.** Microsoft IIS on Windows decoded overlong UTF-8 sequences in URLs, allowing `..%c0%af..` to be interpreted as `../../`. This enabled remote directory traversal, giving attackers access to files outside the web root. RFC 3629 Section 10 explicitly references this class of attack, noting "a widespread virus attacking Web servers in 2001" exploited overlong UTF-8 mishandling.

This CVE-2000-0884 refers to a completely different type of request: GET /%C0%AF HTTP/1.1\r\n

[remittor]

For requests of type GET /%C0%AF HTTP/1.1\r\n, we need to do a separate test.
And I don't know what the HTTP/1.1 standard even says about encoding slashes with %2F and %C0%AF

[MDA2AV]

For requests of type GET /%C0%AF HTTP/1.1\r\n, we need to do a separate test. And I don't know what the HTTP/1.1 standard even says about encoding slashes with %2F and %C0%AF

Yes, a separate test for this

[remittor]

And I don't know what the HTTP/1.1 standard even says about encoding slashes with %2F

I decided not to decode "%2F" sequence:
remittor/fastpysgi@c4b2263