[BusyBox 0000996]: httpd does not decode query strings before passing them to cgi script
bugs at busybox.net
bugs at busybox.net
Wed Nov 29 06:42:05 PST 2006
The following issue has been CLOSED
======================================================================
http://busybox.net/bugs/view.php?id=996
======================================================================
Reported By: deeptho
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 996
Category: Networking Support
Reproducibility: always
Severity: minor
Priority: normal
Status: closed
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 08-15-2006 15:37 PDT
Last Modified: 11-29-2006 06:42 PST
======================================================================
Summary: httpd does not decode query strings before passing
them to cgi script
Description:
version 1.1.3 and 1.2.1 do not decode query strings before placing
them in the environment of cgi processes.
This behaviour is different from 1.0.0 and is probably a bug.
The following patch solves the problem.
*** /tmp/networking/httpd.c~ 2006-08-11 22:02:39.000000000 +0200
--- /tmp/networking/httpd.c 2006-08-11 22:02:39.000000000 +0200
***************
*** 771,776 ****
--- 771,777 ----
asprintf(&s, "%s%s%s=%s", name_before_underline, underline,
name_after_underline, value);
if(s) {
+ decodeString(s,1);
putenv(s);
}
}
======================================================================
----------------------------------------------------------------------
vda - 11-21-06 03:13
----------------------------------------------------------------------
For now I am adding this:
/* TODO: bug 996 says we need to
decodeString(config->query)
* before placing it into env. Is this true? Add example
* in the comment please... */
setenv1("QUERY_STRING", config->query);
You suggest to decodeString() EVERY environment variable - rationale?
----------------------------------------------------------------------
deeptho - 11-21-06 11:36
----------------------------------------------------------------------
It was not my intention that every env-var should be decoded (only
QUERY_STRING,
but that is indeed what the patch does.
I have just found the cgi-specification at
http://hoohoo.ncsa.uiuc.edu/cgi/env.html
and after reading this. I think my patch should not
be used, since the specificatgion states that QUERY_STRING
should not be decoded.
This does mean a difference in behaviour between 1.1.3 and 1.2.1.
I filed the patch because of an application program that was broken
dues to this change. The conclusion is that that program (geckow
webinterface
for a satellite receiver) relied on the erroneous behaviour of 1.1.3.
----------------------------------------------------------------------
vda - 11-29-06 06:42
----------------------------------------------------------------------
"Fixed" it by adding a comment with URL to document which explains that our
bahaviour is right.
Issue History
Date Modified Username Field Change
======================================================================
08-15-06 15:37 deeptho New Issue
08-15-06 15:37 deeptho Status new => assigned
08-15-06 15:37 deeptho Assigned To => BusyBox
08-15-06 15:38 deeptho Issue Monitored: deeptho
11-21-06 03:13 vda Note Added: 0001750
11-21-06 03:13 vda Status assigned => feedback
11-21-06 11:36 deeptho Note Added: 0001763
11-29-06 06:42 vda Status feedback => closed
11-29-06 06:42 vda Note Added: 0001834
======================================================================
More information about the busybox-cvs
mailing list