Bug report for Apache httpd-2 [2023/03/12]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.| |17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi| |17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header| |20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment | |21260|Opn|Nor|2003-07-02|CacheMaxExpire directive not enforced ! | |21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut| |22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down| |22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7| |22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header | |23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54| |24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32| |24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact| |24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g| |25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files | |25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP | |26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability | |27257|Ass|Enh|2004-02-26|rotatelogs with getopt and setuid | |27715|Ass|Enh|2004-03-16|Client sending misformed Range "bytes = 0-100" ins| |29090|Ass|Enh|2004-05-19|MultiviewsMatch NegotiatedOnly extensions not resp| |29510|Ass|Enh|2004-06-10|ab does not support multiple cookies | |29644|Ver|Nor|2004-06-17|mod_proxy keeps downloading even after the client | |30259|Ass|Enh|2004-07-22|When proxy connects to backend, a DNS lookup is do| |30505|Ass|Enh|2004-08-05|Apache uses 'Error', and not lower level event typ| |31302|Opn|Cri|2004-09-19|suexec doesn't execute commands if they're not in | |31352|Ass|Enh|2004-09-21|RFE, Bind to LDAP server with browser supplier use| |31418|Opn|Nor|2004-09-25|SSLUserName is not usable by other modules| |32328|Opn|Enh|2004-11-19|Make mod_rewrite escaping optional / expose intern| |32750|Ass|Maj|2004-12-17|mod_proxy + Win32DisableAcceptEx = memory leak| |33089|New|Nor|2005-01-13|mod_include: Options +Includes (or IncludesNoExec)| |34519|New|Enh|2005-04-19|Directory index should emit valid XHTML | |35098|Ver|Maj|2005-05-27|Install fails using --prefix | |35154|Opn|Nor|2005-06-01|Support for NID_serialNumber, etc. in SSLUserName | |35652|Opn|Min|2005-07-07|Improve error message: "pcfg_openfile: unable to c| |35768|Opn|Nor|2005-07-17|Missing file logs at far too high of log level| |36676|New|Nor|2005-09-15|time() bug in httpd/os/win32/util_win32.c:wait_for| |36710|Opn|Blk|2005-09-19|CGI output not captured | |37006|Ver|Reg|2005-10-11|"pthread" error when compiling under AIX 5.3 using| |37290|Opn|Min|2005-10-28|DirectoryIndex don't work in scriptaliased directo| |37564|New|Enh|2005-11-19|Suggestion: mod_suexec SuexecUserGroup directive i| |38325|Opn|Nor|2006-01-20|impossible to determine AUTH_TYPE of interpreted r| |38571|New|Enh|2006-02-08|CustomLog directive checked by apachectl configtes| |38995|New|Nor|2006-03-16|httpd tries to communicate with the CGI daemon eve| |39275|Opn|Nor|2006-04-11|slow child_init causes MaxClients warning | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39727|Ass|Nor|2006-06-05|Incorrect ETag on gzip:ed content | |39748|New|Enh|2006-06-07|Header and POST support for mod_include |
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
committed two related things to trunk this afternoon: - allow anything if redirecting and no [NE] flag - add another [B] like flag that escapes only controls and spaces. On Sat, Mar 11, 2023 at 2:30 PM Eric Covener wrote: > > Pulling up some of the checks so we can consider the flag: > http://people.apache.org/~covener/patches/rewrite-escaping.diff > > (needs to be duplicated in fixups hook) > > On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic wrote: > > > > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: > > > > > > Saw another report on users@ > > > > > > Any thoughts on something like this to just allow spaces? > > > http://people.apache.org/~covener/patches/rewrite-lax.diff > > > > What about: > > > > Index: modules/mappers/mod_rewrite.c > > === > > --- modules/mappers/mod_rewrite.c(revision 1908254) > > +++ modules/mappers/mod_rewrite.c(working copy) > > @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r) > > apr_size_t flen; > > int to_proxyreq; > > > > -if (r->args && *(ap_scan_vchar_obstext(r->args))) { > > +if (rulestatus == ACTION_NOESCAPE > > +&& r->args && *(ap_scan_vchar_obstext(r->args))) { > > /* > > * We have a raw control character or a ' ' in r->args. > > * Correct encoding was missed. > > ? > > > > Regards; > > Yann. > > > > -- > Eric Covener > cove...@gmail.com -- Eric Covener cove...@gmail.com
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
Pulling up some of the checks so we can consider the flag: http://people.apache.org/~covener/patches/rewrite-escaping.diff (needs to be duplicated in fixups hook) On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic wrote: > > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: > > > > Saw another report on users@ > > > > Any thoughts on something like this to just allow spaces? > > http://people.apache.org/~covener/patches/rewrite-lax.diff > > What about: > > Index: modules/mappers/mod_rewrite.c > === > --- modules/mappers/mod_rewrite.c(revision 1908254) > +++ modules/mappers/mod_rewrite.c(working copy) > @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r) > apr_size_t flen; > int to_proxyreq; > > -if (r->args && *(ap_scan_vchar_obstext(r->args))) { > +if (rulestatus == ACTION_NOESCAPE > +&& r->args && *(ap_scan_vchar_obstext(r->args))) { > /* > * We have a raw control character or a ' ' in r->args. > * Correct encoding was missed. > ? > > Regards; > Yann. -- Eric Covener cove...@gmail.com