|
Dear maintainers, The latest update of apache2 in bookworm-security (2.4.62-1~deb12u2) introduced a regression. Here is the minimal repro I came with. ------------------------------------------------------------ Modules: # a2enmod rewrite # a2enmod proxy # a2enmod proxy_http ------------------------------------------------------------ Apache configuration : # cat /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine On RewriteCond %{THE_REQUEST} "^\S+\s+/(proxy)/(.*) HTTP" RewriteRule ^
http://127.0.0.1:9010/%1/%2? [P,L,NE,QSL] </VirtualHost> ------------------------------------------------------------ (Minimal python server) # cat server.py from http.server import * class Handler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.end_headers() self.wfile.write(b"Hello World!\n") def run(host='', port=9010, server_class=HTTPServer, handler_class=Handler): server_address = (host, port) httpd = server_class(server_address, handler_class) httpd.serve_forever() run() ------------------------------------------------------------ Behavior with 2.4.62-1~deb12u2 : $ curl -i 'http://127.0.0.1/proxy/test?test' HTTP/1.1 403 Forbidden Date: Fri, 11 Oct 2024 07:12:50 GMT Server: Apache/2.4.62 (Debian) Content-Length: 274 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.62 (Debian) Server at 127.0.0.1 Port 80</address> </body></html> # tail /var/log/apache2/error.log [Fri Oct 11 09:11:55.791476 2024] [rewrite:error] [pid 30266:tid 30269] [client 192.168.122.254:53406] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F [Fri Oct 11 09:12:50.602381 2024] [rewrite:error] [pid 30267:tid 30275] [client 127.0.0.1:55978] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F Reverting to 2.4.62-1~deb12u1 : # v=2.4.62-1~deb12u1; apt install apache2=$v apache2-bin=$v apache2-data="" apache2-utils=$v $ curl -i 'http://127.0.0.1/proxy/test?test' HTTP/1.1 200 OK Date: Fri, 11 Oct 2024 07:15:19 GMT Server: BaseHTTP/0.6 Python/3.11.2 Transfer-Encoding: chunked Hello World! Adding the flag UnsafeAllow3F does make it works as expected, although it does not make much sense for me in this example as there is no %3f anywhere here. note: I think for our use case, the UnsafeAllow3F flags will be in fact needed anyway, the point of this configuration being to not filter/canonise anything for this precise reverse proxy. Thus this workaround might be ok in our case (I’ll check in detail later) Regards, Romain Aigron |