Url-Encoding

S3-Proxy is vulnerable to an authentication bypass due to inconsistent handling of percent-encoded slashes between the authentication middleware and bucket handler, allowing unauthorized access to protected resources.

Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.