https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
Bug ID: 66563
Summary: REQUEST_URI characters are not URL encoded when used
within RewriteRule
Product: Apache httpd-2
Version: 2.4.56
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_rewrite
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
When REQUEST_URI is used within a mod_rewrite RewriteRule such as:
RewriteRule "^/dev/test/(.*)$" "/search?q=$1&origin=%{REQUEST_URI}"
[B,PT,L,QSA]
RewriteRule "^/dev/test2/(.*)$" "/search?q=$1" [B,PT,L,QSA]
The REQUEST_URI portion does not appear to be correctly escaped. As a result,
starting with httpd 2.4.57, the following fails with 403 Forbidden due to the
newly introduced restrictions on spaces in the mapped target URL for
RewriteRules:
/dev/test/foo%20bar (ERROR: 403. Log message includes "AH10410: Rewritten
query string contains control characters or spaces")
whereas
/srb/test2/foo%20bar works as expected (200)
Although I only tested %{REQUEST_URI} in this context, I suspect that other
mod_rewrite Server-Variables are likely affected as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
