NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/52958: httpd embeds "http" links on error page
>Number: 52958
>Category: bin
>Synopsis: httpd embeds "http" links on error page
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jan 28 11:20:00 +0000 2018
>Originator: Travis Paul
>Release: current and 7.1.1
>Organization:
>Environment:
NetBSD n7.local 7.1.1 NetBSD 7.1.1 (GENERIC.201712222334Z) amd64
>Description:
The httpd error page embeds a link at the bottom of the page, this link always uses "http://"; even when served from "https://";.
>How-To-Repeat:
Run httpd with SSL enabled, e.g.:
/usr/libexec/httpd -b -f -I 8888 -s -Z cert/certificate.pem cert/key.pem /tmp
GET a resource that doesn't exist such as https://127.0.0.1:8888/foo. The response body will contain a link such as:
<a href="http://127.0.0.1:8888/";>127.0.0.1:8888</a>
>Fix:
Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.86
diff -u -u -r1.86 bozohttpd.c
--- bozohttpd.c 5 Feb 2017 01:55:03 -0000 1.86
+++ bozohttpd.c 28 Jan 2018 10:56:11 -0000
@@ -1990,11 +1990,13 @@
"<html><head><title>%s</title></head>\n"
"<body><h1>%s</h1>\n"
"%s%s: <pre>%s</pre>\n"
- "<hr><address><a href=\"http://%s%s/\";>%s%s</a></address>\n"
+ "<hr><address><a href=\"%s://%s%s/\">%s%s</a></address>\n"
"</body></html>\n",
header, header,
user ? user : "", file,
- reason, hostname, portbuf, hostname, portbuf);
+ reason,
+ httpd->sslinfo ? "https" : "http",
+ hostname, portbuf, hostname, portbuf);
free(user);
if (size >= (int)BUFSIZ) {
bozowarn(httpd,
Home |
Main Index |
Thread Index |
Old Index