On 24.05.2012 17:12, Eric Covener wrote:
There are a couple of PR's going around about people who were using
rewrite to operate on URL's now kicked out of mod_rewrite by default
(IIRC at least proxy:blah and CONNECT arg)
Should we just add a mod_rewrite directive or RewriteOption that opts
in to handling any URL and document the cautions in the directive? I
don't mind doing that code and doc work to skip the new check to
unblock people before 2.2.23. Please comment!
I thought the original problem with mod_rewrite existed only for rules
with the proxy flag. So rules without the proxy floag should be always
OK. Right? All bugzilla issues I am aware of only use such OK rules. If
we would allow them, we would fix the problem for most users.
For rules with the proxy flag I don't know what the "right" soluation
would be. I think the original CVE issue was triggered by interpreting
some URL prefix as a userinfo (the "@" separated part).
Jeff at some point was also looking at it, the patch attached to PR
52774 and my suggestion of only restricting rewrite rules with proxy
flag set. But it seems he also didn't come to a result.
Regards,
Rainer
