Hi,
It appears this patch has introduced a regression, whereby a `?`
character introduced in a RewriteMap now (in 2.4.52-1ubuntu4.14)
requires [UnsafeAllow3F] where it didn't previously. A minimal config to
reproduce:
-----------------------
RewriteEngine On
RewriteRule ^/bob$ /jeremy?asd=asd [L,R]
RewriteMap redirects txt:maps/redirects.txt
RewriteRule ^(/fred)/?$ ${redirects:$1} [L,R]
-----------------------
With a map of:
-----------------------
/fred /jeremy?asd=asd
-----------------------
A request to /bob works as expected with a 302 redirect to /jeremy?asd=asd
A request to /fred does not work and instead returns a 403 with "Unsafe URL
with %3f URL rewritten without UnsafeAllow3F" logged.
We have confirmed that in version 2.4.52-1ubuntu4.13 this was working as
expected without the need for [UnsafeAllow3F].
I can file a new bug for this if required.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2103723
Title:
Fix for CVE-2024-38474 also blocks %3f in appended query strings
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2103723/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
