Package: apache2
Version: 2.4.62-1~deb12u1
Severity: important
X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org

Dear Maintainer,

After upgrading apache2 packages, we noticed that our SEO rewriting rules in 
apache2 no longer worked and Tomcat tried to access non-existing file paths 
with URL encoded questionmarks.

I have first noticed that is issue affects Debian 12, but I can confirm that it 
also affects Debian 11, so this happens in oldstable, apache2 2.4.62-1~deb11u1, 
too.

To show the issue, you'll want to enable the following mods:
a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm rewrite

I have set up a balancer worker in mods-available/proxy_balancer.conf:
<Proxy balancer://tomcat>
        BalancerMember ajp://localhost:8009 secret=youllneverknow
</Proxy>

I have narrowed the issue down to using a proxy RewriteRule inside a Directory 
block. So to reproduce, set up /etc/apache2/sites-available/000-default.conf 
like this:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory "/var/www/html">
                DirectoryIndex index.html
                RewriteEngine On
                RewriteRule ^/?(.*?)$ 
balancer://tomcat/demo/index.jsp?rewrite=$1 
[P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
        </Directory>
</VirtualHost>

To illustrate the issue, I have set up a simple /demo/ application in Tomcat 
10, but the problem is caused by the Apache2 webserver, so this part is not 
relevant here.

Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to 
http://127.0.0.1/foo/bar/?someparam will result in the following request being 
proxied to tomcat, as is expected:
        GET /demo/index.jsp?rewrite=foo/bar/&someparam

After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
        GET 
/demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam

You can see that the complete parameter string is added twice now, with the 
leading ? being escaped the first time around, which in turn causes the path to 
be completely messed up, so Tomcat won't be able to find the file and returns a 
404 status.

When turning on debug logging in apache2, one can see that the request path is 
still fine during mod_rewrite processing, it only gets broken during mod_proxy 
processing. The issue does not occur, when the RewriteRule is placed outside of 
the Directory block. Unfortunately, this is not a viable workaround for us, we 
really need to be able to use this inside <Directory> and we need the full 
flexibility of mod_rewrite too, so we cannot implement the same thing using 
ProxyPass, either. For now, the only resolution is to downgrade the apache2 
packages:

apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1 
apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1 
apache2-utils=2.4.61-1~deb12u1

After the downgrade, the RewriteRule with the proxy directive is back to 
working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels like 
having to pin the previous apache2 version is not a good solution, but 
upgrading it is not possible until this is fixed.

If I had to guess, this may be caused by the following change:
mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
     "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
     with BalancerMember(s).  PR 69168.  [Yann Ylavic]


-- Package-specific info:

-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.11-8-pve (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin                2.4.62-1~deb12u1
ii  apache2-data               2.4.62-1~deb12u1
ii  apache2-utils              2.4.62-1~deb12u1
ii  init-system-helpers        1.65.2
ii  media-types                10.0.0
ii  perl                       5.36.0-7+deb12u1
ii  procps                     2:4.0.2-3
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.2

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.7.2-3
ii  libaprutil1              1.6.3-1
ii  libaprutil1-dbd-sqlite3  1.6.3-1
ii  libaprutil1-ldap         1.6.3-1
ii  libbrotli1               1.0.9-2+b6
ii  libc6                    2.36-9+deb12u8
ii  libcrypt1                1:4.4.33-2
ii  libcurl4                 7.88.1-10+deb12u7
ii  libjansson4              2.14-2
ii  libldap-2.5-0            2.5.13+dfsg-5
ii  liblua5.3-0              5.3.6-2
ii  libnghttp2-14            1.52.0-1+deb12u1
ii  libpcre2-8-0             10.42-1
ii  libssl3                  3.0.14-1~deb12u1
ii  libxml2                  2.9.14+dfsg-1.3~deb12u1
ii  perl                     5.36.0-7+deb12u1
ii  zlib1g                   1:1.2.13.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.62-1~deb12u1
ii  apache2-bin  2.4.62-1~deb12u1

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
/etc/apache2/conf-available/charset.conf changed [not included]
/etc/apache2/conf-available/localized-error-pages.conf changed [not included]
/etc/apache2/conf-available/other-vhosts-access-log.conf changed [not included]
/etc/apache2/conf-available/security.conf changed [not included]
/etc/apache2/conf-available/serve-cgi-bin.conf changed [not included]
/etc/apache2/mods-available/actions.conf changed [not included]
/etc/apache2/mods-available/alias.conf changed [not included]
/etc/apache2/mods-available/autoindex.conf changed [not included]
/etc/apache2/mods-available/cache_disk.conf changed [not included]
/etc/apache2/mods-available/cgid.conf changed [not included]
/etc/apache2/mods-available/dav_fs.conf changed [not included]
/etc/apache2/mods-available/deflate.conf changed [not included]
/etc/apache2/mods-available/dir.conf changed [not included]
/etc/apache2/mods-available/http2.conf changed [not included]
/etc/apache2/mods-available/info.conf changed [not included]
/etc/apache2/mods-available/ldap.conf changed [not included]
/etc/apache2/mods-available/mime.conf changed [not included]
/etc/apache2/mods-available/mime_magic.conf changed [not included]
/etc/apache2/mods-available/mpm_event.conf changed [not included]
/etc/apache2/mods-available/mpm_prefork.conf changed [not included]
/etc/apache2/mods-available/mpm_worker.conf changed [not included]
/etc/apache2/mods-available/negotiation.conf changed [not included]
/etc/apache2/mods-available/proxy.conf changed [not included]
/etc/apache2/mods-available/proxy_balancer.conf changed [not included]
/etc/apache2/mods-available/proxy_ftp.conf changed [not included]
/etc/apache2/mods-available/proxy_html.conf changed [not included]
/etc/apache2/mods-available/reqtimeout.conf changed [not included]
/etc/apache2/mods-available/setenvif.conf changed [not included]
/etc/apache2/mods-available/ssl.conf changed [not included]
/etc/apache2/mods-available/status.conf changed [not included]
/etc/apache2/mods-available/userdir.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
/etc/apache2/sites-available/default-ssl.conf changed [not included]

-- no debconf information

Reply via email to