https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
--- Comment #5 from Sylvain Beucler <b...@beuc.net> --- Hi, Thanks for the detailed explanation. I understand that we need both patches (r1892805 and r1892874) to make sure CVE-2021-36160 is fixed. > It makes sense to apply this patch to "normalize" PATH_INFO, I didn't look > at other PATH_INFO usages but there might be other places where this might > happen too (mod_proxy_fcgi maybe?). AFAICT the regression reported here is caused by the mod_proxy_uwsgi change (not the mod_proxy one), so I believe other mod_proxy_* modules are not impacted. > In any case the leading '/' is > introduced by the configuration so if the application can't cope with it I'd > suggest to fix that first. > > Otherwise patches are always welcome ;) I understand there's a configuration error (missing/extra slash) in the first place. Though, we want to maintain strict backward-compatibility within a Debian long-term release. rpluem's second patch seems suitable to maintain the previous (less strict) behavior, so I'm going to apply it and I don't think additional patches are needed, but let me know if I can be of any help. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
