[BusyBox 0000657]: CGI URI containing %3F (/) returns 404
bugs at busybox.net
bugs at busybox.net
Tue Jan 24 12:10:31 UTC 2006
The following issue has been RESOLVED.
======================================================================
http://busybox.net/bugs/view.php?id=657
======================================================================
Reported By: marc
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 657
Category: Other
Reproducibility: always
Severity: major
Priority: normal
Status: resolved
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 01-24-2006 01:47 PST
Last Modified: 01-24-2006 04:10 PST
======================================================================
Summary: CGI URI containing %3F (/) returns 404
Description:
When switching from 1.01 to 1.0.1, I noticed the following:
When entering in a method=get form:
This URL fails (returns 404):
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+%2Fproc&run=run
While these URLs succeeds:
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+/proc&run=run
http://board/cgi-bin/interface/interface?shell=run&execute=ls%20-al%20/proc&run=run
======================================================================
----------------------------------------------------------------------
marc - 01-24-06 03:53
----------------------------------------------------------------------
This is a small patch that fixes the issue.
----------------------------------------------------------------------
vodz - 01-24-06 04:08
----------------------------------------------------------------------
Thanks.
But your patch is not correct. This code special added for security
check.
Require move decodeUrl after strip query string.
See revision 13550.
Issue History
Date Modified Username Field Change
======================================================================
01-24-06 01:47 marc New Issue
01-24-06 01:47 marc Status new => assigned
01-24-06 01:47 marc Assigned To => BusyBox
01-24-06 03:53 marc File Added: httpd-2F-1.1.0.diff
01-24-06 03:53 marc Note Added: 0000989
01-24-06 04:08 vodz Note Added: 0000990
01-24-06 04:10 vodz Status assigned => resolved
01-24-06 04:10 vodz Resolution open => fixed
======================================================================
More information about the busybox-cvs
mailing list