--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lighttpd: server returnd 400, if %C0 is included in the URL
- From: OHNO Tetsuji <t2ohno@gmail.com>
- Date: Thu, 11 Jul 2019 09:38:19 +0900
- Message-id: <156280549917.7047.13161906180160942612.reportbug@iris.a07.aist.go.jp>
Package: lighttpd
Version: 1.4.53-4
Severity: normal
Dear Maintainer,
Hello!
lighttpd server is returnd ”400 Bad Request", if %C0 (or any other
char.) is included in the URL.
for example,
http://localhost/index.lighttpd.html : return OK (display index page)
http://localhost/index.lighttpd.html?%C0 : 400 Bad Request
http://localhost/index.lighttpd.html?%C1 : 400 Bad Request
http://localhost/index.lighttpd.html?%C2 : OK
I can't understand this behavior.
Thank you very much.
OHNO, Tetsuji
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.48-4
ii libbz2-1.0 1.0.6-9.1
ii libc6 2.28-10
ii libfam0 2.7.0-17.3
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1c-1
ii lsb-base 10.2019051400
ii mime-support 3.62
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages lighttpd recommends:
ii lighttpd-modules-ldap 1.4.53-4
ii lighttpd-modules-mysql 1.4.53-4
ii perl 5.28.1-6
ii spawn-fcgi 1.6.4-2
Versions of packages lighttpd suggests:
pn apache2-utils <none>
pn lighttpd-doc <none>
ii openssl 1.1.1c-1
pn php-cgi <none>
pn rrdtool <none>
-- Configuration Files:
/etc/lighttpd/lighttpd.conf changed:
$HTTP["host"] == "10.0.0.1" {
userdir.path = "public_html"
userdir.exclude-user = ( "root", "postmaster" )
}
server.modules = (
"mod_indexfile",
"mod_access",
"mod_alias",
"mod_redirect",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 6080
server.http-parseopts = (
"header-strict" => "enable",# default
"host-strict" => "enable",# default
"host-normalize" => "enable",# default
"url-normalize-unreserved"=> "enable",# recommended highly
"url-normalize-required" => "enable",# recommended
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
#"url-path-2f-reject" => "enable",
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
)
index-file.names = ( "index.php", "index.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.modules += (
"mod_compress",
"mod_dirlisting",
"mod_staticfile",
)
-- no debconf information
--- End Message ---