uhttpd problems

In CGI scripts, the QUERY_STRING variable is not always set correctly.

Steps to reproduce

Foreword: tested on multiple ar71xx devices with uhttpd from 17.01.4

Enable cgi and HTTP authentication
Without authentication, everything seems to be fine.
You can use this /etc/config/uhttpd config file:

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
#	list listen_http '[::]:80'
#	list listen_https '0.0.0.0:443'
#	list listen_https '[::]:443'
#	option redirect_https '1'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option realm 'demo'
	list httpauth 'prefix_user'

config cert 'defaults'
	option days '730'
	option bits '2048'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'LEDE'

config httpauth 'prefix_user'
	option prefix '/'
	option username 'asdf'
	option password '$1$$c5nwjO0v8rrAmMj4JqTUC0'
	# password is 'asdf'

Add CGI script for testing in /www/cgi-bin/querystring.sh:

#!/bin/sh

echo "Content-type: text/plain"
echo 

echo "begin"
echo "${QUERY_STRING}"
echo "end"

Check delivered content:

http://192.168.1.1/cgi-bin/querystring.sh?asdf

Expected:

begin
asdf
end

Observed Behaviour / Results

With Firefox 56 as HTTP client, the first response looks like:

begin

end

All subsequent requests will be answered correctly.
Wait 5 minutes, do another request; this 'first' request will be empty again,
then, everything is fine.

In another script I saw this list of strings for QUERY_STRING where the request was "?status"

HTTP_ACCEPT_LANGUAGE=de,en;q=0.5
.sh
te
n/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Deterministic Reproduction

With wget, we get deterministic results:

wget  --user=asdf --password=asdf -O - -q http://192.168.1.1/cgi-bin/querystring.sh?asdf

wget  --user=asdf --password=asdf -O - -q http://192.168.1.1/cgi-bin/querystring.sh?asdfasdf

wget  --user=asdf --password=asdf -O - -q http://192.168.1.1/cgi-bin/querystring.sh?asdfasdfasdf

wget  --user=asdf --password=asdf -O - -q http://192.168.1.1/cgi-bin/querystring.sh?asdfasdfasdfasdf

Here, the response is either missing the QUERY_STRING (=empty), or correctly visible.
This is dependent on the length of the query string.
With a changed password (hash) in the configuration, that specific length changes!
For the examples above, the first three result in an empty response; only the last one
returns the expected behaviour.