https://bz.apache.org/bugzilla/show_bug.cgi?id=65549
Bug ID: 65549
Summary: mod_proxy is passing canonicalized instead of
non-canonicalized urls when ProxyPass nocanon and
interpolate keywords are both specified
Product: Apache httpd-2
Version: 2.4.48
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: bugs@httpd.apache.org
Reporter: joels...@gmail.com
Target Milestone: ---
Created attachment 38013
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38013&action=edit
Patch that fixes this bug
When a ProxyPass directive has nocanon turned on Apache compares the raw,
unparsed request uri with the ProxyPass path. When interpolate is turned on,
Apache needs to compare the raw uri with the interpolated ProxyPass path,
however when nocanon is on Apache is comparing the raw uri with the
uninterpolated ProxyPass path.
In modules/mod_proxy/mod_proxy.c line 742 is incorrect (in httpd 2.4.48):
```
if (nocanon && len != alias_match(r->unparsed_uri, ent->fake)) {
mismatch = 1;
use_uri = r->uri;
}
```
`ent->fake` is the uninterpolated ProxyPass path. `alias_match` should be
called on `fake`. You can see this above at line 675:
```
if (dconf && (dconf->interpolate_env == 1) && (ent->flags &
PROXYPASS_INTERPOLATE)) {
fake = proxy_interpolate(r, ent->fake);
real = proxy_interpolate(r, ent->real);
}
else {
fake = ent->fake;
real = ent->real;
}
```
When interpolate is on `fake` is set to the interpolated ProxyPass path. Notice
also that even when interpolate isn't on `fake` is set to the uninterpolated
path, so in either case the `fake` variable should be used instead of
`ent->fake`. The result of this bug is that the nocanon keyword is ignored.
When the `alias_match` at line 742 fails it sets `mismatch` to 1 and it ignores
the nocanon directive (setting `use_uri` to `r->uri`):
```
if (mismatch) {
/* We made a reducing transformation, so we can't safely use
* unparsed_uri. Safe fallback is to ignore nocanon.
*/
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01136)
"Unescaped URL path matched ProxyPass; ignoring unsafe
nocanon");
}
```
To reproduce this set `ProxyPassInterpolateEnv On` and create a ProxyPass
directive with nocanon and interpolate on and make sure the ProxyPass path
contains an environment variable to interpolate. If you then send a request url
that has escaped characters in it:
http://foo.bar/baz/0%3A3%3AL7Vl4z0ylfnGOkjHUmwi%2Bnrz9QV39BxOl8SQWQu%2BswJI_w8y2Pr9pNAB9RM%3D/
It will be proxied to the backend with the characters unescaped even though the
nocanon directive was used:
http://foo.bar/baz/0:3:L7Vl4z0ylfnGOkjHUmwi+nrz9QV39BxOl8SQWQu+swJI_w8y2Pr9pNAB9RM=/
Attached is a patch that fixes this bug.
Thanks,
Joel Self
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
