BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000657 [BusyBox] Other major always 01-24-06 01:47 02-20-06 12:06
Reporter marc View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version svn
Summary 0000657: CGI URI containing %3F (/) returns 404
Description When switching from 1.01 to 1.0.1, I noticed the following:

When entering in a method=get form:
This URL fails (returns 404):
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+%2Fproc&run=run [^]

While these URLs succeeds:
http://board/cgi-bin/interface/interface?shell=run&execute=ls+-al+/proc&run=run [^]
http://board/cgi-bin/interface/interface?shell=run&execute=ls%20-al%20/proc&run=run [^]
Additional Information
Attached Files  httpd-2F-1.1.0.diff [^] (529 bytes) 01-24-06 03:53

- Relationships

- Notes
(0000989)
marc
01-24-06 03:53

 This is a small patch that fixes the issue.
 
(0000990)
vodz
01-24-06 04:08

 Thanks.
But your patch is not correct. This code special added for security check.
Require move decodeUrl after strip query string.
See revision 13550.
 
(0001126)
landley
02-20-06 12:06

 If it's closed, then close it.
 

- Issue History
Date Modified Username Field Change
01-24-06 01:47 marc New Issue
01-24-06 01:47 marc Status new => assigned
01-24-06 01:47 marc Assigned To  => BusyBox
01-24-06 03:53 marc File Added: httpd-2F-1.1.0.diff
01-24-06 03:53 marc Note Added: 0000989
01-24-06 04:08 vodz Note Added: 0000990
01-24-06 04:10 vodz Status assigned => resolved
01-24-06 04:10 vodz Resolution open => fixed
02-20-06 12:06 landley Status resolved => closed
02-20-06 12:06 landley Note Added: 0001126

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker