Bug#803353: apache2: apache 2.4.17 introduces breaking change to REDIRECT_URL
Package: apache2
Version: 2.4.17-1
Severity: normal
Dear Maintainer,
There appears to have been a mistake upstream.
The following change was proposed on April Fools Day this year:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57785
Despite breaking all kinds of things, this patch somehow made it
into apache 2.4.17.
It changes the REDIRECT_URL variable, which untold numbers of sites
(millions?) rely on.
That page says that REDIRECT_URL was introduced in 2010, but that
is not true. The earliest version of apache source I can find is
from 1996, and it includes the REDIRECT_URL variable:
http://svn.apache.org/viewvc/httpd/httpd/tags/1.3/apache_1_0_0/src/main/util_script.c?revision=76316&view=markup
I understand that sometimes breaking changes need to be made, but
not with little fanfare when only the tertiary version number
changes.
apache 2.5.0 appears to have already fixed this, by making the new
behavior opt-in:
https://github.com/apache/httpd/blob/42fe5bdacc3395981f717e70c8b03e587bbf865b/CHANGES
And it looks like 2.4.18 will have that fix as well:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201510.mbox/%3C8E4D5EDE-E9F5-4551-BE25-694E4D9B3C1B%40jaguNET.com%3E
I'm not sure what should be done about this, but it breaks almost
every site I've ever made (at least 50), so I thought you all
should at least know about it.
Here are some fun quotes from the upstream bug:
"This patch appears to break the prexisting PHP behaviour (all
versions, verified as far back as PHP 5.2)."
"Here at cPanel we are reverting our 2.4.17 release and are
going to re-release 2.4.16. Too many issues with
mod_rewrite/REDIRECT_URL causing a *lot* of applications to
stop working."
-- Package-specific info:
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 4.2.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.17-1
ii apache2-data 2.4.17-1
ii apache2-utils 2.4.17-1
ii dpkg 1.18.3
ii lsb-base 9.20150917
ii mime-support 3.59
ii perl 5.20.2-6
ii procps 2:3.3.10-4
Versions of packages apache2 recommends:
ii ssl-cert 1.0.37
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii chromium [www-browser] 46.0.2490.71-1
ii elinks [www-browser] 0.12~pre6-10
ii iceweasel [www-browser] 38.3.0esr-1
ii lynx-cur [www-browser] 2.8.9dev6-4
ii w3m [www-browser] 0.5.3-25
Versions of packages apache2-bin depends on:
ii libapr1 1.5.2-3
ii libaprutil1 1.5.4-1
ii libaprutil1-dbd-sqlite3 1.5.4-1
ii libaprutil1-ldap 1.5.4-1
ii libc6 2.19-22
ii libldap-2.4-2 2.4.42+dfsg-2
ii liblua5.1-0 5.1.5-8
ii libnghttp2-14 1.3.4-2
ii libpcre3 2:8.35-7.2
ii libssl1.0.0 1.0.2d-1
ii libxml2 2.9.2+zdfsg1-4
ii perl 5.20.2-6
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii chromium [www-browser] 46.0.2490.71-1
ii elinks [www-browser] 0.12~pre6-10
ii iceweasel [www-browser] 38.3.0esr-1
ii lynx-cur [www-browser] 2.8.9dev6-4
ii w3m [www-browser] 0.5.3-25
Versions of packages apache2 is related to:
ii apache2 2.4.17-1
ii apache2-bin 2.4.17-1
-- Configuration Files:
/etc/apache2/mods-available/ident.load [Errno 2] No such file or directory: u'/etc/apache2/mods-available/ident.load'
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
-- no debconf information
Reply to: