[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#931827: lighttpd: server returnd 400, if %C0 is included in the URL

Package: lighttpd
Version: 1.4.53-4
Severity: normal

Dear Maintainer,

Hello!

lighttpd server is returnd ”400 Bad Request", if %C0 (or any other
char.) is included in the URL.

for example,
http://localhost/index.lighttpd.html : return OK (display index page)
http://localhost/index.lighttpd.html?%C0 : 400 Bad Request
http://localhost/index.lighttpd.html?%C1 : 400 Bad Request
http://localhost/index.lighttpd.html?%C2 : OK

I can't understand this behavior.

Thank you very much.

OHNO, Tetsuji


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lighttpd depends on:
ii  libattr1      1:2.4.48-4
ii  libbz2-1.0    1.0.6-9.1
ii  libc6         2.28-10
ii  libfam0       2.7.0-17.3
ii  libpcre3      2:8.39-12
ii  libssl1.1     1.1.1c-1
ii  lsb-base      10.2019051400
ii  mime-support  3.62
ii  zlib1g        1:1.2.11.dfsg-1

Versions of packages lighttpd recommends:
ii  lighttpd-modules-ldap   1.4.53-4
ii  lighttpd-modules-mysql  1.4.53-4
ii  perl                    5.28.1-6
ii  spawn-fcgi              1.6.4-2

Versions of packages lighttpd suggests:
pn  apache2-utils  <none>
pn  lighttpd-doc   <none>
ii  openssl        1.1.1c-1
pn  php-cgi        <none>
pn  rrdtool        <none>

-- Configuration Files:
/etc/lighttpd/lighttpd.conf changed:
$HTTP["host"] == "10.0.0.1" {
	userdir.path         = "public_html"
        userdir.exclude-user = ( "root", "postmaster" )
}
server.modules = (
	"mod_indexfile",
	"mod_access",
	"mod_alias",
 	"mod_redirect",
)
server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 6080
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)
index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.modules += (
	"mod_compress",
	"mod_dirlisting",
	"mod_staticfile",
)


-- no debconf information
Reply to: