NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/47971: httpd bogusly %-encodes redirects

>Number:         47971
>Category:       bin
>Synopsis:       httpd bogusly %-encodes redirects
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 27 13:50:00 +0000 2013
>Originator:     Martin Husemann
>Release:        NetBSD 6.1_STABLE
The NetBSD Foundation, Inc.
#6: Wed May 29 21:38:20 CEST 2013
Architecture: i386
Machine: i386

When redirecting a request because of the existence of a .bzredirect or
.bzabsredirect file, httpd encodes the target url, including all / in it,
which usually breaks it.

I don't see why this behaviour ever would be usefull, but I might be missing

Note that the only other use of the escape_rfc3986() is for filenames in
generated directory indices, and there it is absolutely ok.

Try a .bzredirect to, say, ../test

Index: bozohttpd.c
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.39
diff -c -u -r1.39 bozohttpd.c
--- bozohttpd.c 27 Jun 2013 13:11:11 -0000      1.39
+++ bozohttpd.c 27 Jun 2013 13:43:01 -0000
@@ -965,7 +965,6 @@
                url = urlbuf;
        } else
                urlbuf = NULL;
-       url = escape_rfc3986(request->hr_httpd, url);
        if (request->hr_query && strlen(request->hr_query))
                query = 1;

Home | Main Index | Thread Index | Old Index