https://bz.apache.org/bugzilla/show_bug.cgi?id=61388
Bug ID: 61388 Summary: unescaped %0A (\n) within a RewriteMap prg: result can show other users requested sites Product: Apache httpd-2 Version: 2.4.6 Hardware: HP OS: Linux Status: NEW Severity: major Priority: P2 Component: mod_rewrite Assignee: bugs@httpd.apache.org Reporter: tom....@protonmail.com Target Milestone: --- If you return an unescaped %0A (\n) in a RewriteMap prg: result, Apache (resp. mod_rewrite) becomes confused. It mixes up content results among all requesting clients. Example Apache Config: ... <Location /test> Require ip ... RewriteRule /html/(.+) "/${rewriteUrl:%{REQUEST_URI}?%{QUERY_STRING}}" [DPI] RewriteRule /expired/forbidden - [F,L] </Location> <IfModule mod_rewrite.c> # LogLevel info rewrite:trace7 Mutex file:/appl/locks rewrite-map RewriteMap rewriteUrl 'prg:/appl/bin/rewriteUrl.bin' </IfModule> ... Submitting the URL http://test.com/test?func=FILE&file=foo.jpg%0Abar.jff mixes up apache results among all users, if the rewriteUrl prg unescapes %0A to a newline character and therefor returns 2 lines. This behaviour remains until Apache is restarted (graceful). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org