[BusyBox 0000996]: httpd does not decode query strings before passing them to cgi script

bugs at busybox.net bugs at busybox.net
Wed Nov 29 14:42:05 UTC 2006


The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=996 
====================================================================== 
Reported By:                deeptho
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   996
Category:                   Networking Support
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             08-15-2006 15:37 PDT
Last Modified:              11-29-2006 06:42 PST
====================================================================== 
Summary:                    httpd does not decode query strings before passing
them to cgi script
Description: 

version 1.1.3 and 1.2.1 do not decode query strings before placing
them in the environment of cgi processes.

This behaviour is different from 1.0.0 and is probably a bug.
The following patch solves the problem. 


*** /tmp/networking/httpd.c~	2006-08-11 22:02:39.000000000 +0200
--- /tmp/networking/httpd.c	2006-08-11 22:02:39.000000000 +0200
***************
*** 771,776 ****
--- 771,777 ----
    asprintf(&s, "%s%s%s=%s", name_before_underline, underline,
  					name_after_underline, value);
    if(s) {
+     decodeString(s,1);
      putenv(s);
    }
  }
====================================================================== 

---------------------------------------------------------------------- 
 vda - 11-21-06 03:13  
---------------------------------------------------------------------- 
For now I am adding this:

                /* TODO: bug 996 says we need to
decodeString(config->query)
                 * before placing it into env. Is this true? Add example
                 * in the comment please... */
                setenv1("QUERY_STRING", config->query);

You suggest to decodeString() EVERY environment variable - rationale? 

---------------------------------------------------------------------- 
 deeptho - 11-21-06 11:36  
---------------------------------------------------------------------- 
It was not my intention that every env-var should be decoded (only
QUERY_STRING,
but that is indeed what the patch does.

I have just found the cgi-specification at
http://hoohoo.ncsa.uiuc.edu/cgi/env.html
and after reading this. I think my patch should not 
be used, since the specificatgion states that QUERY_STRING
should not be decoded. 

This does mean a difference in behaviour between 1.1.3 and 1.2.1. 
I filed the patch because of an application program that was broken
dues to this change. The conclusion is that that program (geckow
webinterface
for a satellite receiver) relied on the erroneous behaviour of 1.1.3. 

---------------------------------------------------------------------- 
 vda - 11-29-06 06:42  
---------------------------------------------------------------------- 
"Fixed" it by adding a comment with URL to document which explains that our
bahaviour is right. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-15-06 15:37  deeptho        New Issue                                    
08-15-06 15:37  deeptho        Status                   new => assigned     
08-15-06 15:37  deeptho        Assigned To               => BusyBox         
08-15-06 15:38  deeptho        Issue Monitored: deeptho                     
11-21-06 03:13  vda            Note Added: 0001750                          
11-21-06 03:13  vda            Status                   assigned => feedback
11-21-06 11:36  deeptho        Note Added: 0001763                          
11-29-06 06:42  vda            Status                   feedback => closed  
11-29-06 06:42  vda            Note Added: 0001834                          
======================================================================




More information about the busybox-cvs mailing list