Bug#931827: marked as done (lighttpd: server returnd 400, if %C0 is included in the URL)

To: Glenn Strauss <gs-debian.org@gluelogic.com>
Subject: Bug#931827: marked as done (lighttpd: server returnd 400, if %C0 is included in the URL)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 08 Feb 2020 05:39:03 +0000
Message-id: <[🔎] handler.931827.D931827.15811400792525.ackdone@bugs.debian.org>
Reply-to: 931827@bugs.debian.org
References: <20200208052935.GC17494@xps13> <156280549917.7047.13161906180160942612.reportbug@iris.a07.aist.go.jp>

Your message dated Sat, 8 Feb 2020 00:29:35 -0500
with message-id <20200208052935.GC17494@xps13>
and subject line 931827-close
has caused the Debian Bug report #931827,
regarding lighttpd: server returnd 400, if %C0 is included in the URL
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931827
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lighttpd: server returnd 400, if %C0 is included in the URL
From: OHNO Tetsuji <t2ohno@gmail.com>
Date: Thu, 11 Jul 2019 09:38:19 +0900
Message-id: <156280549917.7047.13161906180160942612.reportbug@iris.a07.aist.go.jp>

Package: lighttpd
Version: 1.4.53-4
Severity: normal

Dear Maintainer,

Hello!

lighttpd server is returnd ”400 Bad Request", if %C0 (or any other
char.) is included in the URL.

for example,
http://localhost/index.lighttpd.html : return OK (display index page)
http://localhost/index.lighttpd.html?%C0 : 400 Bad Request
http://localhost/index.lighttpd.html?%C1 : 400 Bad Request
http://localhost/index.lighttpd.html?%C2 : OK

I can't understand this behavior.

Thank you very much.

OHNO, Tetsuji


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lighttpd depends on:
ii  libattr1      1:2.4.48-4
ii  libbz2-1.0    1.0.6-9.1
ii  libc6         2.28-10
ii  libfam0       2.7.0-17.3
ii  libpcre3      2:8.39-12
ii  libssl1.1     1.1.1c-1
ii  lsb-base      10.2019051400
ii  mime-support  3.62
ii  zlib1g        1:1.2.11.dfsg-1

Versions of packages lighttpd recommends:
ii  lighttpd-modules-ldap   1.4.53-4
ii  lighttpd-modules-mysql  1.4.53-4
ii  perl                    5.28.1-6
ii  spawn-fcgi              1.6.4-2

Versions of packages lighttpd suggests:
pn  apache2-utils  <none>
pn  lighttpd-doc   <none>
ii  openssl        1.1.1c-1
pn  php-cgi        <none>
pn  rrdtool        <none>

-- Configuration Files:
/etc/lighttpd/lighttpd.conf changed:
$HTTP["host"] == "10.0.0.1" {
	userdir.path         = "public_html"
        userdir.exclude-user = ( "root", "postmaster" )
}
server.modules = (
	"mod_indexfile",
	"mod_access",
	"mod_alias",
 	"mod_redirect",
)
server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 6080
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)
index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.modules += (
	"mod_compress",
	"mod_dirlisting",
	"mod_staticfile",
)


-- no debconf information

--- End Message ---

--- Begin Message ---

To: 931827-close@bugs.debian.org

Subject: 931827-close

From: Glenn Strauss <gs-debian.org@gluelogic.com>

Date: Sat, 8 Feb 2020 00:29:35 -0500

Message-id: <20200208052935.GC17494@xps13>
Not a bug.

Explanation provided why this is secure behavior and working as designed
--- End Message ---

Reply to:

Prev by Date: Bug#929203: marked as done (lighttpd: PIDFile= references path below legacy directory /var/run)
Next by Date: Bug#925478: marked as done (restart action breaks with systemd (Again))
Previous by thread: Bug#929203: marked as done (lighttpd: PIDFile= references path below legacy directory /var/run)
Next by thread: Bug#925478: marked as done (restart action breaks with systemd (Again))
Index(es):
- Date
- Thread