https://bz.apache.org/bugzilla/show_bug.cgi?id=61388
Bug ID: 61388
Summary: unescaped %0A (\n) within a RewriteMap prg: result can
show other users requested sites
Product: Apache httpd-2
Version: 2.4.6
Hardware: HP
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_rewrite
Assignee: bugs@httpd.apache.org
Reporter: tom....@protonmail.com
Target Milestone: ---
If you return an unescaped %0A (\n) in a RewriteMap prg: result, Apache (resp.
mod_rewrite) becomes confused. It mixes up content results among all requesting
clients.
Example Apache Config:
...
<Location /test>
Require ip ...
RewriteRule /html/(.+) "/${rewriteUrl:%{REQUEST_URI}?%{QUERY_STRING}}"
[DPI]
RewriteRule /expired/forbidden - [F,L]
</Location>
<IfModule mod_rewrite.c>
# LogLevel info rewrite:trace7
Mutex file:/appl/locks rewrite-map
RewriteMap rewriteUrl 'prg:/appl/bin/rewriteUrl.bin'
</IfModule>
...
Submitting the URL http://test.com/test?func=FILE&file=foo.jpg%0Abar.jff mixes
up apache results among all users, if the rewriteUrl prg unescapes %0A to a
newline character and therefor returns 2 lines. This behaviour remains until
Apache is restarted (graceful).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
