[BusyBox 0000657]: CGI URI containing %3F (/) returns 404

bugs at busybox.net bugs at busybox.net
Tue Jan 24 12:10:31 UTC 2006


The following issue has been RESOLVED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=657 
====================================================================== 
Reported By:                marc
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   657
Category:                   Other
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     resolved
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             01-24-2006 01:47 PST
Last Modified:              01-24-2006 04:10 PST
====================================================================== 
Summary:                    CGI URI containing %3F (/) returns 404
Description: 
When switching from 1.01 to 1.0.1, I noticed the following:

When entering in a method=get form:
This URL fails (returns 404):
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+%2Fproc&run=run

While these URLs succeeds:
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+/proc&run=run
http://board/cgi-bin/interface/interface?shell=run&execute=ls%20-al%20/proc&run=run


====================================================================== 

---------------------------------------------------------------------- 
 marc - 01-24-06 03:53  
---------------------------------------------------------------------- 
This is a small patch that fixes the issue. 

---------------------------------------------------------------------- 
 vodz - 01-24-06 04:08  
---------------------------------------------------------------------- 
Thanks.
But your patch is not correct. This code special added for security
check.
Require move decodeUrl after strip query string. 
See revision 13550. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-24-06 01:47  marc           New Issue                                    
01-24-06 01:47  marc           Status                   new => assigned     
01-24-06 01:47  marc           Assigned To               => BusyBox         
01-24-06 03:53  marc           File Added: httpd-2F-1.1.0.diff                  
 
01-24-06 03:53  marc           Note Added: 0000989                          
01-24-06 04:08  vodz           Note Added: 0000990                          
01-24-06 04:10  vodz           Status                   assigned => resolved
01-24-06 04:10  vodz           Resolution               open => fixed       
======================================================================




More information about the busybox-cvs mailing list