NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/52958: httpd embeds "http" links on error page

>Number:         52958
>Category:       bin
>Synopsis:       httpd embeds "http" links on error page
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 28 11:20:00 +0000 2018
>Originator:     Travis Paul
>Release:        current and 7.1.1
NetBSD n7.local 7.1.1 NetBSD 7.1.1 (GENERIC.201712222334Z) amd64
The httpd error page embeds a link at the bottom of the page, this link always uses "http://"; even when served from "https://";.
Run httpd with SSL enabled, e.g.:

   /usr/libexec/httpd -b -f -I 8888 -s -Z cert/certificate.pem cert/key.pem /tmp

GET a resource that doesn't exist such as The response body will contain a link such as:

  <a href="";></a>

Index: bozohttpd.c
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.86
diff -u -u -r1.86 bozohttpd.c
--- bozohttpd.c 5 Feb 2017 01:55:03 -0000       1.86
+++ bozohttpd.c 28 Jan 2018 10:56:11 -0000
@@ -1990,11 +1990,13 @@
                    "%s%s: <pre>%s</pre>\n"
-                   "<hr><address><a href=\"http://%s%s/\";>%s%s</a></address>\n"
+                   "<hr><address><a href=\"%s://%s%s/\">%s%s</a></address>\n"
                    header, header,
                    user ? user : "", file,
-                   reason, hostname, portbuf, hostname, portbuf);
+                   reason,
+                   httpd->sslinfo ? "https" : "http",
+                   hostname, portbuf, hostname, portbuf);
                if (size >= (int)BUFSIZ) {

Home | Main Index | Thread Index | Old Index