https://bz.apache.org/bugzilla/show_bug.cgi?id=66580
Bug ID: 66580
Summary: url contain %25(encoded for %) in path, httpd will
return 400(bad request) if set AllowEncodedSlashes
NoDecode
Product: Apache httpd-2
Version: 2.4.57
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_proxy
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi, we met a problem that if our url contain %25(encoded %) in path, then httpd
which act as a reverse proxy server will return 400(bad request) to client
after we upgrade to httpd-2.4.57, we use the flag AllowEncodedSlashes as
NoDecode to enable the slashes not decoded by httpd.
Below steps is about how to produce this problem:
I test it with manually with apache official docker image: httpd: 2.4.57, below
is my test steps:
1. Start a container from this image:
docker create --name apache -p 8080:80 httpd:2.4.57
docker start apache
2. Attach in to it and edit the httpd.conf
docker exec -ti apache bash
# add the configuration to file /usr/local/apache2/conf/httpd.conf
LogLevel debug
AllowEncodedSlashes NoDecode
# load proxy module
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# include the proxy configuration
Include conf/extra/httpd-proxy.conf
3. Add a new configuration httpd-proxy.conf
# add new configuration file to /usr/local/apache2/conf/extra/
$ cat conf/extra/httpd-proxy.conf
<VirtualHost *:80>
# Proxy the requests to the backend server
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
4. Start a simple python http server like below
# cat app.py
from bottle import Bottle, response
app = Bottle()
@app.route('/api')
def hello_world():
response.content_type = 'application/json'
return '{"message": "Hello, World!"}'
if __name__ == '__main__':
app.run(debug=True)
5. Reload httpd
Kill -s SIGHUP 1
6. Send request via curl
$ curl http://localhost:80/xxxx%25xxxxx
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
But this request can reach to endpoint, this 404 is returned by endpoint server
# curl http://localhost:80/xxxx%20xxxxx
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 Not Found</title>
<style type="text/css">
html {background-color: #eee; font-family: sans;}
body {background-color: #fff; border: 1px solid #ddd;
padding: 15px; margin: 15px;}
pre {background-color: #eee; border: 1px solid #ddd; padding:
5px;}
</style>
</head>
<body>
<h1>Error: 404 Not Found</h1>
<p>Sorry, the requested URL
<tt>'http://localhost/xxxx%20xxxxx'</tt>
caused an error:</p>
<pre>Not found: '/xxxx xxxxx'</pre>
</body>
</html>
I also try to revert the changes in httpd-2.4.57, I found the problem is in
this change:
https://github.com/apache/httpd/commit/9b8cf1746bb004050b02a30bf0222479fbe405c2
When I revert this change, then the problem was gone.
I think this maybe is a bug for mod_proxy introduced by this change.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
