NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

misc/47740: libexec/httpd rfc3986 encoding of location header

>Number:         47740
>Category:       misc
>Synopsis:       libexec/httpd rfc3986 encoding of location header
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 13 16:10:00 +0000 2013
>Originator:     MB
>Release:        6.99.17
NetBSD 6.99.17 (XEN3PAE_DOMU) #0: Sat Feb 23 12:24:40 UTC 2013
The HTTP redirect does a rfc3986-encoding of the path-component of the URL, the 
hex-encoding of the '/'-separator results in invalid HTTP output. (e.g., 
different browsers report an error)

start httpd:
mkdir cgi-bin
httpd -I 8080 -bf -X  -c cgi-bin/  .

requesting (without trailing /) results in a 
status 301 (Document Moved) with a Location-header of 
'' which results in a "Corrupted Content 
Error" in Firefox (and similar errors in other browsers).
The '/' in the path component shouldn't be hex-escaped.
escape_rfc3986() shouldn't escape '/' in the path-portion of a URL; or don't 
escape the URL in the handle_redirect() (line 965 of bozohttpd.c); not sure 
which one is the correct approach.

Home | Main Index | Thread Index | Old Index