Is there a definitive documented answer on double quoted string escaping?

Question

Say, for example, I want to write this header line in an HTTP response:

Content-Disposition: attachment; filename="I can't believe it's not header!.jpg"

It contains a mix of quotes, repeating the quotes doesn't work (despite being the cleanest approach):

Header set always Content-Disposition "attachment; filename=""I can't believe it's not header!.jpg"""

It throws an error Header has too many arguments.

Good old backslash works:

Header always set Content-Disposition "attachment; filename=\"I can't believe it's not header!.jpg\""

but the docs provide examples where backslashes are used unescaped, so I assume that "a\b" is parsed the same as "a\\b" because \b isn't special like \ and ". We know what they say about assumptions. Am I just being dense? Where are the docs?

---

Update: I opened a bug as I found other oddities.

Answer 1

Backslash-escapes are certainly the standard way of escaping characters in Apache config files, so backslash-escaping double quotes inside a string that is itself delimited by double quotes is certainly the way to go.

However, where is this documented? The page in the Apache docs that covers configuration file syntax does not explicitly cover this. (The only mention of backslashes are in regards to continuing directives across multiple lines - something which is rarely required.)

The Apache docs for mod_log_config (a base module) do state:

Literal quotes and backslashes should be escaped with backslashes.

This is where the argument is (always) enclosed in double quotes. The same happens to apply to pretty much all string arguments in all modules.

but the docs provide examples where backslashes are used unescaped, so I assume that "a\b" is parsed the same as "a\\b" because \b isn't special like \ and ".

I can't see where you are referring to? The link you provide does not seem to include such an example?

If the argument is an ordinary string then "a\b" would be seen as "ab" (the literal b is unnecessarily escaped). And "a\\b" would be "a\b" (the backslash itself is escaped for a literal backslash). However, if the argument takes a regex (as many of those examples on the Apache expressions page do) then \b itself is a special meta-character that asserts a word-boundary - there is no backslash-escape in this instance.

Note that arguments in Apache config files only need to be surrounded in double quotes if the value contains spaces. Many examples in the Apache docs include double quotes, but this is not a requirement. Spaces themselves can often be backslash-escaped (to avoid having to double quote the argument), but this tends to be less readable. For regex arguments it is often preferable use \s instead (any space character).