Package: apache2 Version: 2.4.61-1~deb12u1 Severity: important Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 Control: tags -1 + bullseye Control: tags -1 + bookworm Control: tags -1 + upstream Control: Found -1 2.4.61-1~deb11u1
Dear Maintainer, A tracking bug for a regression > The SSRF fix in mod_rewrite introduced in r1918561 produces a "403 > Forbidden" response not only when an encoded question mark is introduced > through a backreference but also when an existing query string appended via > the QSA flag contains %3F. > > > Steps to Reproduce: > > 1) Prepare a webroot with an index.html file. > > 2) Setup a vhost with the following rewrite rules > > (or add them to a .htaccess file): > RewriteEngine On > RewriteRule ^.*$ index.html?_path=$1 [L,QSA] > > 3) Access /test?url=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar in a web > browser > > > Actual Results: > > The HTTP server produces a "403 Forbidden" response. > > Only when the the flag UnsafeAllow3F is added to the RewriteRule the results > are as expected. > > > Expected Results: > > The URL should have been rewritten to /index.html?_path=%2Ftest&foo=bar and > the contents of index.html should have been delivered to the web browser. > > > Additional Information: > > Rewrite rules similar to the one used in step 2 above are common in htaccess > files delivered with PHP applications. To e.g. prevent issues with > mod_cache, the original path is passed to the target script via the query > string and all query string parameters from the original URL are appended > via QSA flag. > > This issue affects all URLs for these applications which contain a %3F > somewhere in the query string. This commonly happens e.g. for search forms > (the user may enter a question mark as part of the search query) and for > scripts that send an URL in a query string (for example > ?referer=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar). > > Thanks Bastien
signature.asc
Description: This is a digitally signed message part.
