Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Fri, 10 Mar 2023, Eric Covener wrote: Saw another report on users@ Any thoughts on something like this to just allow spaces? http://people.apache.org/~covener/patches/rewrite-lax.diff (this is off my $bigco fork so may not actually apply) On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve wrote: Maybe we can slip an additional entry into the changelog. I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410? Yes, the error log did include the AH10410 message. URL encoding the spaces either as \%20 (path or query string) or + (query string) does eliminate the problem for our mappings. From: Eric Covener Sent: Wednesday, March 8, 2023 8:31 PM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd. conf format, the actual rule appears in the ZjQcmQR YFpfptBannerEnd On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as: RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA] Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words) I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages. We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this? Maybe we can slip an additional entry into the changelog. I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410? This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/ I found now in https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_b that the RewriteRule flag B allows also to specify special characters to be escaped: In 2.4.26 and later, you can limit the escaping to specific characters in backreferences by listing them: [B=#?;]. Note: The space character can be used in the list of characters to escape, but it cannot be the last character in the list. At first I had problems to specify a space character but I found that escaping them helps. To circumvent the above mentioned restriction regarding the space character I used as a hack simply two ones so using the additionally flag [B=\ \ ] helped at least in my case as workaround (but not yet properly tested for side effects). Jens
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Thu, 9 Mar 2023, Eric Covener wrote: On Thu, Mar 9, 2023 at 12:14 PM wrote: On 3/9/23 05:30, Eric Covener wrote: On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as: RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA] Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words) I wonder how many websites might have a snippet similar to: RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA] I do worry about this style a lot more, especially with how much of a pain [B] has been for me in the past. I think we can wait and see and only look for more problematic characters in the mod_rewrite.c change. I use a bit historically a rule principally like RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L] With httpd-2.4.56 now all requests using file names containing a space are blocked (403 Forbidden) with the according error log entry AH10410: Rewritten query string contains control characters or spaces The called CGI application tries to handle "bad" characters itself so from my egoistic point of view at least spaces should be allowed here (may be by an extra directive). In my case, the only but unsatisfactory workaround I have found so far would be to replace the affected spaces with %2520. Jens
Re: [VOTE] Release libapreq2-2.15
Hi Joe, Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here: https://dist.apache.org/repos/dist/dev/httpd/libapreq/ This release is mainly to address a security issue in libapreq2 which has been outstanding for over a year, CVE-2019-12412. I would like to call a VOTE over the next few days to release this candidate tarball as v2.15: [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. SHA1/256/512 checksum for the tarball are as follows: 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d libapreq2-2.15.tar.gz 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494 libapreq2-2.15.tar.gz abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701 libapreq2-2.15.tar.gz The release is prepared from: https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146 Regards, Joe Sorry, not a vote but just a small information: Similar to the httpd project itself (see https://bz.apache.org/bugzilla/show_bug.cgi?id=63923) I had generated now on the FOSS server fossies.org also a codespell report for the libapreq2-2.15.tar.gz tarball: https://fossies.org/linux/test/libapreq2/codespell.html That version-independent URL should be available at least for some days and should redirect always to the last report (if available), so currently to https://fossies.org/linux/test/libapreq2-2.15.tar.gz/codespell.html By the way, the used special "test" folder isn't really integrated into the standard Fossies services and should not be accessible to search engines either. Although the correction of misspellings and typos has probably not a top priority, I hope that the report can nevertheless be a little bit useful. Regards Jens -- FOSSIES - The Fresh Open Source Software archive mainly for Internet, Engineering and Science https://fossies.org/