https://bz.apache.org/bugzilla/show_bug.cgi?id=69344
--- Comment #3 from Ruediger Pluem <[email protected]> --- (In reply to Devendra from comment #2) > (In reply to Ruediger Pluem from comment #1) > > This is likely caused by the fix for CVE-2024-39573 in 2.4.60 and works as > > designed (see why on > > https://httpd.apache.org/security/vulnerabilities_24.html). Expect that the > > result of each RewriteRule with no Redirect or Proxy flags starts with a '/' > > even if the substitution string does not and adjust your RewriteRules to > > accommodate for this. > > > Thanks for response - Ruediger Pluem. > So, does it mean 2.4.60 and higher versions will add "/" to RewriteRule even > it is already present? It will only add one at the beginning if none is present and if it does not have a redirect or proxy flag. If one is present nothing will be added. > > We have log entry where an additional "/" was added and the application is > not working. > > Should we replace > > RewriteRule ^(.*) --proto--/$1 [C] > > with > > RewriteRule ^(.*) --proto--$1 [C] I did not look extensively at your rewriterules, but from a brief look I would expect that $1 always starts with a '/' in the rule above and hence you should remove it. Probably it is a good idea to modify your other rules above this rule to ensure that they always result in something that starts with a '/'. This would also ensure backwards compatibility with older HTTP Server versions. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
