[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Regression in apache2 2.4.62-1~deb12u2 (bookworm-security)



Dear maintainers,

 

The latest update of apache2 in bookworm-security (2.4.62-1~deb12u2) introduced a regression.

Here is the minimal repro I came with.

 

------------------------------------------------------------

Modules:

  #a2enmod rewrite

  # a2enmod proxy

  # a2enmod proxy_http

------------------------------------------------------------

Apache configuration :

  # cat /etc/apache2/sites-enabled/000-default.conf

  <VirtualHost *:80>

        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html

 

        ErrorLog ${APACHE_LOG_DIR}/error.log

        CustomLog ${APACHE_LOG_DIR}/access.log combined

 

        RewriteEngine On

        RewriteCond %{THE_REQUEST} "^\S+\s+/(proxy)/(.*) HTTP"

        RewriteRule ^ http://127.0.0.1:9010/%1/%2? [P,L,NE,QSL]

  </VirtualHost>

 

------------------------------------------------------------

(Minimal python server)

# cat server.py

from http.server import *

 

class Handler(BaseHTTPRequestHandler):

  def do_GET(self):

      self.send_response(200)

      self.end_headers()

      self.wfile.write(b"Hello World!\n")

 

 

def run(host='', port=9010, server_class=HTTPServer, handler_class=Handler):

    server_address = (host, port)

    httpd = server_class(server_address, handler_class)

    httpd.serve_forever()

 

run()

------------------------------------------------------------

 

Behavior with 2.4.62-1~deb12u2 :

 

  $ curl -i 'http://127.0.0.1/proxy/test?test'

  HTTP/1.1 403 Forbidden

  Date: Fri, 11 Oct 2024 07:12:50 GMT

  Server: Apache/2.4.62 (Debian)

  Content-Length: 274

  Content-Type: text/html; charset=iso-8859-1

 

  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

  <html><head>

  <title>403 Forbidden</title>

  </head><body>

  <h1>Forbidden</h1>

  <p>You don't have permission to access this resource.</p>

  <hr>

  <address>Apache/2.4.62 (Debian) Server at 127.0.0.1 Port 80</address>

  </body></html>

 

  # tail /var/log/apache2/error.log

  [Fri Oct 11 09:11:55.791476 2024] [rewrite:error] [pid 30266:tid 30269] [client 192.168.122.254:53406] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

  [Fri Oct 11 09:12:50.602381 2024] [rewrite:error] [pid 30267:tid 30275] [client 127.0.0.1:55978] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

 

 

Reverting to 2.4.62-1~deb12u1 :

 

  # v=2.4.62-1~deb12u1; apt install apache2=$v apache2-bin=$v apache2-data="" apache2-utils=$v

 

  $ curl -i 'http://127.0.0.1/proxy/test?test'

  HTTP/1.1 200 OK

  Date: Fri, 11 Oct 2024 07:15:19 GMT

  Server: BaseHTTP/0.6 Python/3.11.2

  Transfer-Encoding: chunked

 

  Hello World!

 

 

Adding the flag UnsafeAllow3F does make it works as expected, although it does not make much sense for me in this example as there is no %3f anywhere here.

 

note:

I think for our use case, the UnsafeAllow3F flags will be in fact needed anyway, the point of this configuration being to not filter/canonise anything for this precise reverse proxy.

Thus this workaround might be ok in our case (I’ll check in detail later)

 

 

Regards,

Romain Aigron


Reply to: