Hi,
The attached patch fixes the redirect code to not break the query string
by re-encoding the = character.
Thanks,
Brett.
diff -ru4 orig/pound-2.6/debian/patches/xss_redirect_fix.patch new/pound-2.6/debian/patches/xss_redirect_fix.patch
--- orig/pound-2.6/debian/patches/xss_redirect_fix.patch 2012-02-03 09:46:07.000000000 +0000
+++ new/pound-2.6/debian/patches/xss_redirect_fix.patch 2013-12-23 13:35:39.000000000 +0000
@@ -42,9 +42,9 @@
+ if (
+ (ch>= 'A' && ch <='Z') ||
+ (ch>= 'a' && ch <='z') ||
+ (ch>= '0' && ch <='9') ||
-+ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') {
++ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') {
+
+ urlbuf[j++] = ch;
+ continue;
+ }
diff -ru4 orig/pound-2.6/http.c new/pound-2.6/http.c
--- orig/pound-2.6/http.c 2013-12-23 13:54:00.000000000 +0000
+++ new/pound-2.6/http.c 2013-12-23 13:52:56.000000000 +0000
@@ -81,9 +81,9 @@
if (
(ch>= 'A' && ch <='Z') ||
(ch>= 'a' && ch <='z') ||
(ch>= '0' && ch <='9') ||
- ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') {
+ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') {
urlbuf[j++] = ch;
continue;
}
