[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-bugs
Subject:    bin/47971: httpd bogusly %-encodes redirects
From:       martin () NetBSD ! org
Date:       2013-06-27 13:50:00
Message-ID: 20130627135000.8E2A4716C6 () mollari ! NetBSD ! org
[Download RAW message or body]

> Number:         47971
> Category:       bin
> Synopsis:       httpd bogusly %-encodes redirects
> Confidential:   no
> Severity:       serious
> Priority:       low
> Responsible:    bin-bug-people
> State:          open
> Class:          sw-bug
> Submitter-Id:   net
> Arrival-Date:   Thu Jun 27 13:50:00 +0000 2013
> Originator:     Martin Husemann
> Release:        NetBSD 6.1_STABLE
> Organization:
The NetBSD Foundation, Inc.
> Environment:
System: NetBSD night-porter.duskware.de 6.1_STABLE NetBSD 6.1_STABLE (PORTER) #6: Wed \
May 29 21:38:20 CEST 2013 \
                martin@night-porter.duskware.de:/usr/src-6/sys/arch/i386/compile/PORTER \
                i386
Architecture: i386
Machine: i386
> Description:

When redirecting a request because of the existence of a .bzredirect or
.bzabsredirect file, httpd encodes the target url, including all / in it,
which usually breaks it.

I don't see why this behaviour ever would be usefull, but I might be missing
something.

Note that the only other use of the escape_rfc3986() is for filenames in
generated directory indices, and there it is absolutely ok.

> How-To-Repeat:
Try a .bzredirect to, say, ../test

> Fix:
Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.39
diff -c -u -r1.39 bozohttpd.c
--- bozohttpd.c	27 Jun 2013 13:11:11 -0000	1.39
+++ bozohttpd.c	27 Jun 2013 13:43:01 -0000
@@ -965,7 +965,6 @@
 		url = urlbuf;
 	} else
 		urlbuf = NULL;
-	url = escape_rfc3986(request->hr_httpd, url);
 
 	if (request->hr_query && strlen(request->hr_query))
 		query = 1;


[prev in list] [next in list] [prev in thread] [next in thread]