Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

committed two related things to trunk this afternoon: - allow anything if redirecting and no [NE] flag - add another [B] like flag that escapes only controls and spaces. On Sat, Mar 11, 2023 at 2:30 PM Eric Covener wrote: > > Pulling up some of the checks so we can consider the flag: >

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

Pulling up some of the checks so we can consider the flag: http://people.apache.org/~covener/patches/rewrite-escaping.diff (needs to be duplicated in fixups hook) On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic wrote: > > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: > > > > Saw another

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

> Allowing a space to be sent within the proxied request target is not an > option, > regardless of how the user has configured the server. The CVE fix was just to > prevent an invalid target sent from us. This context in mod_rewrite is not specific to proxying. The CVE is addressed in a similar

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Mar 10, 2023, at 8:56 AM, Yann Ylavic wrote: > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: >> >> Saw another report on users@ >> >> Any thoughts on something like this to just allow spaces? >> http://people.apache.org/~covener/patches/rewrite-lax.diff > > What about: > > Index:

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

did include the AH10410 message. URL encoding the spaces either as \%20 (path or query string) or + (query string) does eliminate the problem for our mappings. From: Eric Covener Sent: Wednesday, March 8, 2023 8:31 PM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic wrote: > > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: > > > > Saw another report on users@ > > > > Any thoughts on something like this to just allow spaces? > > http://people.apache.org/~covener/patches/rewrite-lax.diff > > What about: > >

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Fri, Mar 10, 2023 at 4:34 PM Eric Covener wrote: > > Saw another report on users@ > > Any thoughts on something like this to just allow spaces? > http://people.apache.org/~covener/patches/rewrite-lax.diff What about: Index: modules/mappers/mod_rewrite.c

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

string) or + (query string) does eliminate the problem for our mappings. From: Eric Covener Sent: Wednesday, March 8, 2023 8:31 PM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve wrote: Correction! I used

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

spaces either as \%20 (path or query string) or + (query > string) does eliminate the problem for our mappings. > > > > From: Eric Covener > Sent: Wednesday, March 8, 2023 8:31 PM > To: dev@httpd.apache.org > Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

%20 (path or query string) or + (query string) does eliminate the problem for our mappings. From: Eric Covener Sent: Wednesday, March 8, 2023 8:31 PM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve wrote: Corr

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

Or use [B], while being aware of the drawbacks. On Thu, Mar 9, 2023 at 2:38 PM Fossies Administrator < jens.schleuse...@fossies.org> wrote: > On Thu, 9 Mar 2023, Eric Covener wrote: > > > On Thu, Mar 9, 2023 at 12:14 PM wrote: > >> > >> On 3/9/23 05:30, Eric Covener wrote: > >>> > >>> > >>> On

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Thu, 9 Mar 2023, Eric Covener wrote: On Thu, Mar 9, 2023 at 12:14 PM wrote: On 3/9/23 05:30, Eric Covener wrote: On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote: Correction! I used our test template for the rule when I e-mailed just now, but

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Thu, Mar 9, 2023 at 12:14 PM wrote: > > On 3/9/23 05:30, Eric Covener wrote: > > > > > > On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve > > wrote: > > > > Correction! > > > > I used our test template for the rule when I e-mailed just now, but > > once it

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On 3/9/23 05:30, Eric Covener wrote: On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

> Am 08.03.2023 um 23:38 schrieb Eric Covener : > > On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve wrote: > >> Please remember to send the release announcement to annou...@httpd.apache.org > > Maybe a moderation issue? Can anyone with the proper hat help check it > out please? In the releases I

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve wrote: > Correction! > > I used our test template for the rule when I e-mailed just now, but once > it is converted to the apache httpd.conf format, the actual rule appears in > the httpd.conf as: > > RewriteRule ^/zoology/animals/reset/(\d+)$

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

but it might be worth updating the mod_rewrite documentation on this? From: BUSH Steve Sent: Wednesday, March 8, 2023 7:45 PM To: dev@httpd.apache.org Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 I just completed upgrading to 2. 4. 56 from 2. 4. 55 and now we are ha

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

servers, and cache poisoning. Credits: Lars Krapf of Adobe From: Eric Covener Sent: Tuesday, March 7, 2023 3:51 AM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 I am going to call this one early and proceed with the release. 9 binding +1

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve wrote: > Please remember to send the release announcement to annou...@httpd.apache.org Maybe a moderation issue? Can anyone with the proper hat help check it out please?

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

Please remember to send the release announcement to annou...@httpd.apache.org From: Eric Covener Sent: Tuesday, March 7, 2023 3:51 AM To: dev@httpd.apache.org Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56 I am going to call this one early and proceed with the release. 9

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem wrote: > > > > On 3/5/23 10:31 PM, Eric Covener wrote: > > Hi all, > > > >

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On 3/5/23 10:31 PM, Eric Covener wrote: > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: > [X]

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

+1 All looks fine on Windows. > Op 5 mrt. 2023 om 22:32 heeft Eric Covener het volgende > geschreven: > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote: > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [x] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. +1

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Sun, Mar 5, 2023 at 10:31 PM Eric Covener wrote: > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: +1: It's not just good, it's good enough! All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On 3/5/23 22:31, Eric Covener wrote: Hi all, Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [ ] +1: It's not just

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

> Am 05.03.2023 um 22:31 schrieb Eric Covener : > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Sun, Mar 5, 2023 at 4:31 PM Eric Covener wrote: > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

> On Mar 5, 2023, at 1:31 PM, Eric Covener wrote: > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as