https://bz.apache.org/bugzilla/show_bug.cgi?id=65616

--- Comment #5 from Sylvain Beucler <b...@beuc.net> ---
Hi,

Thanks for the detailed explanation.

I understand that we need both patches (r1892805 and r1892874) to make sure
CVE-2021-36160 is fixed.

> It makes sense to apply this patch to "normalize" PATH_INFO, I didn't look
> at other PATH_INFO usages but there might be other places where this might
> happen too (mod_proxy_fcgi maybe?).

AFAICT the regression reported here is caused by the mod_proxy_uwsgi change
(not the mod_proxy one), so I believe other mod_proxy_* modules are not
impacted.

> In any case the leading '/' is
> introduced by the configuration so if the application can't cope with it I'd
> suggest to fix that first.
> 
> Otherwise patches are always welcome ;)

I understand there's a configuration error (missing/extra slash) in the first
place.

Though, we want to maintain strict backward-compatibility within a Debian
long-term release. rpluem's second patch seems suitable to maintain the
previous (less strict) behavior, so I'm going to apply it and I don't think
additional patches are needed, but let me know if I can be of any help.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to