> Allowing a space to be sent within the proxied request target is not an > option, > regardless of how the user has configured the server. The CVE fix was just to > prevent an invalid target sent from us.
This context in mod_rewrite is not specific to proxying. The CVE is addressed in a similar snippet in the proxy modules. > Why don't we fix the source of the spaces? The place where the variable is > decoding > the matched string being inserted. I find that bit surprising, since it > doesn't behave > like a proper regex. The input here is the decoded URL-path. rewrite can explicitly look at the original request verbatim, but it's a rare thing to be used. > Likewise, the rewrite mapper should always pct-encode or reject embedded > spaces > long before we get to the proxy (or internal redirect) request. In the non-proxy case, the backreference may be in a local filename or the query string. I guess the latter is still bogus in CGI-like cases, but it's been tolerated forever and being passed onto CGI-like things without automatic encoding.
