>>86290429
it doesn't work because its cgi, the problem affects only static-or-index.
The configuration files looks something like this:
if(~ $SERVER_NAME <server-ip-or-domain>) {
FS_ROOT=<path>
exec <handler>
}
And there's some handlers, cgi, static-or-cgi, static-or-index, etc. The problem is static-or-index, that calls serve-static, and this is what happens on the first lines of it:
full_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d}
full_path=$"full_path
if(~ $full_path */)
error 503
if(test -d $full_path){
redirect perm $"location^'/' \
'URL not quite right, and browser did not accept redirect.'
exit
}
if(! test -e $full_path){
error 404
exit
}
if(! test -r $full_path){
error 503
exit
}
See? No sanitization, it only decodes directly to a path, that transforms ..%2f in ../ and fucks up everything.