[BusyBox 0000996]: httpd does not decode query strings before passing them to cgi script

bugs at busybox.net bugs at busybox.net
Tue Nov 21 11:13:59 UTC 2006 

The following issue requires your FEEDBACK. 
====================================================================== 
http://busybox.net/bugs/view.php?id=996 
====================================================================== 
Reported By:                deeptho
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   996
Category:                   Networking Support
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     feedback
====================================================================== 
Date Submitted:             08-15-2006 15:37 PDT
Last Modified:              11-21-2006 03:13 PST
====================================================================== 
Summary:                    httpd does not decode query strings before passing
them to cgi script
Description: 

version 1.1.3 and 1.2.1 do not decode query strings before placing
them in the environment of cgi processes.

This behaviour is different from 1.0.0 and is probably a bug.
The following patch solves the problem. 


*** /tmp/networking/httpd.c~	2006-08-11 22:02:39.000000000 +0200
--- /tmp/networking/httpd.c	2006-08-11 22:02:39.000000000 +0200
***************
*** 771,776 ****
--- 771,777 ----
    asprintf(&s, "%s%s%s=%s", name_before_underline, underline,
  					name_after_underline, value);
    if(s) {
+     decodeString(s,1);
      putenv(s);
    }
  }
====================================================================== 

---------------------------------------------------------------------- 
 vda - 11-21-06 03:13  
---------------------------------------------------------------------- 
For now I am adding this:

                /* TODO: bug 996 says we need to
decodeString(config->query)
                 * before placing it into env. Is this true? Add example
                 * in the comment please... */
                setenv1("QUERY_STRING", config->query);

You suggest to decodeString() EVERY environment variable - rationale? 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-15-06 15:37  deeptho        New Issue                                    
08-15-06 15:37  deeptho        Status                   new => assigned     
08-15-06 15:37  deeptho        Assigned To               => BusyBox         
08-15-06 15:38  deeptho        Issue Monitored: deeptho                     
11-21-06 03:13  vda            Note Added: 0001750                          
11-21-06 03:13  vda            Status                   assigned => feedback
======================================================================

More information about the busybox-cvs mailing list