misc/47740: libexec/httpd rfc3986 encoding of location header

[code%boerschig.net@localhost]

>Number:         47740
>Category:       misc
>Synopsis:       libexec/httpd rfc3986 encoding of location header
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 13 16:10:00 +0000 2013
>Originator:     MB
>Release:        6.99.17
>Organization:
>Environment:
NetBSD 6.99.17 (XEN3PAE_DOMU) #0: Sat Feb 23 12:24:40 UTC 2013  
builds%b8.netbsd.org@localhost:/home/builds/ab/HEAD/i386/201302230640Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/XEN3PAE_DOMU
 i386
>Description:
The HTTP redirect does a rfc3986-encoding of the path-component of the URL, the 
hex-encoding of the '/'-separator results in invalid HTTP output. (e.g., 
different browsers report an error)


>How-To-Repeat:
start httpd:
mkdir cgi-bin
httpd -I 8080 -bf -X  -c cgi-bin/  . 127.0.0.1

requesting http://127.0.0.1:8080/cgi-bin (without trailing /) results in a 
status 301 (Document Moved) with a Location-header of 
'http://127.0.0.1:8080%2Fcgi-bin%2F' which results in a "Corrupted Content 
Error" in Firefox (and similar errors in other browsers).
The '/' in the path component shouldn't be hex-escaped.
>Fix:
escape_rfc3986() shouldn't escape '/' in the path-portion of a URL; or don't 
escape the URL in the handle_redirect() (line 965 of bozohttpd.c); not sure 
which one is the correct approach.