bin/47971: httpd bogusly %-encodes redirects

[martin%NetBSD.org@localhost]

>Number:         47971
>Category:       bin
>Synopsis:       httpd bogusly %-encodes redirects
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 27 13:50:00 +0000 2013
>Originator:     Martin Husemann
>Release:        NetBSD 6.1_STABLE
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-porter.duskware.de 6.1_STABLE NetBSD 6.1_STABLE (PORTER) 
#6: Wed May 29 21:38:20 CEST 2013 
martin%night-porter.duskware.de@localhost:/usr/src-6/sys/arch/i386/compile/PORTER
 i386
Architecture: i386
Machine: i386
>Description:

When redirecting a request because of the existence of a .bzredirect or
.bzabsredirect file, httpd encodes the target url, including all / in it,
which usually breaks it.

I don't see why this behaviour ever would be usefull, but I might be missing
something.

Note that the only other use of the escape_rfc3986() is for filenames in
generated directory indices, and there it is absolutely ok.

>How-To-Repeat:
Try a .bzredirect to, say, ../test

>Fix:
Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.39
diff -c -u -r1.39 bozohttpd.c
--- bozohttpd.c 27 Jun 2013 13:11:11 -0000      1.39
+++ bozohttpd.c 27 Jun 2013 13:43:01 -0000
@@ -965,7 +965,6 @@
                url = urlbuf;
        } else
                urlbuf = NULL;
-       url = escape_rfc3986(request->hr_httpd, url);
 
        if (request->hr_query && strlen(request->hr_query))
                query = 1;