You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2023/04/11 19:21:31 UTC

[Bug 66563] New: REQUEST_URI characters are not URL encoded when used within RewriteRule

https://bz.apache.org/bugzilla/show_bug.cgi?id=66563

            Bug ID: 66563
           Summary: REQUEST_URI characters are not URL encoded when used
                    within RewriteRule
           Product: Apache httpd-2
           Version: 2.4.56
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
          Assignee: bugs@httpd.apache.org
          Reporter: mazer1310@gmail.com
  Target Milestone: ---

When REQUEST_URI is used within a mod_rewrite RewriteRule such as:

RewriteRule "^/dev/test/(.*)$" "/search?q=$1&origin=%{REQUEST_URI}"
[B,PT,L,QSA]
RewriteRule "^/dev/test2/(.*)$" "/search?q=$1" [B,PT,L,QSA]

The REQUEST_URI portion does not appear to be correctly escaped.  As a result,
starting with httpd 2.4.57, the following fails with 403 Forbidden due to the
newly introduced restrictions on spaces in the mapped target URL for
RewriteRules:

/dev/test/foo%20bar  (ERROR: 403.  Log message includes "AH10410: Rewritten
query string contains control characters or spaces")

whereas

/srb/test2/foo%20bar works as expected (200)

Although I only tested %{REQUEST_URI} in this context, I suspect that other
mod_rewrite Server-Variables are likely affected as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #4 from Eric Covener <co...@gmail.com> ---
Thanks for the feedback, I made a similar update where the variables are talked
about and once again in the [B] flag section

http://svn.apache.org/viewvc?view=revision&revision=1909075

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563

--- Comment #3 from Steven Bush <ma...@gmail.com> ---
Ok, that worked successfully.  I was able to get it working with:

RewriteMap esc int:escape
RewriteRule "^/dev/test/(.*)$" "/search?q=$1&origin=${esc:%{REQUEST_URI}}"
[B,PT,L,QSA]

I would suggest perhaps adding some text to the mod_rewrite documentation for
RewriteRule, but otherwise this issue can be closed.

Something along these lines for the docs:

EXISTING:
In addition to plain text, the Substitution string can include

back-references ($N) to the RewriteRule pattern
back-references (%N) to the last matched RewriteCond pattern
server-variables as in rule condition test-strings (%{VARNAME})
mapping-function calls (${mapname:key|default})

Back-references are identifiers of the form $N (N=0..9), which will be replaced
by the contents of the Nth group of the matched Pattern. The server-variables
are the same as for the TestString of a RewriteCond directive. The
mapping-functions come from the RewriteMap directive and are explained there.
These three types of variables are expanded in the order above. 
PROPOSED: Although the B and related flags escape back-references,
server-variables are not similarly escaped.  Instead, use the RewriteMap
internal functions to escape the server-variables as needed.


Meanwhile, Thank you for the quick response!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563

--- Comment #2 from Steven Bush <ma...@gmail.com> ---
>> There was some early discussion about allowing spaces here, but it didn't go over well.  What eventually consumes this URL? <<

The original service that caused problems for us (not the stripped down sample
that I provided) is consumed by a service that internally determines it's
output based on the origin.  In essence, three different services are handled
by a single implementation based on the origin path.  

The problem is that mod_rewrite allows server-variables (such as REQUEST_URI)
as a substitutions within the RewriteRule target URL, but those might not be
properly URL encoded, and unlike the back references, there isn't any option to
escape the characters safely. 

I was hoping I could go back to the service developer and say, "using
REQUEST_URI in this way is not supported by mod_rewrite.".  However, when I
looked at the RewriteRule documentation, I found this bit of text which
unfortunately indicates that server-variables are supported:

https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule

>>In addition to plain text, the Substitution string can include

>>back-references ($N) to the RewriteRule pattern
>>back-references (%N) to the last matched RewriteCond pattern
>>server-variables as in rule condition test-strings (%{VARNAME})
>>mapping-function calls (${mapname:key|default})

I'll give a try to using the RewriteMap internal functions and see if that
sorts this out and I'll comment again once I have it tested.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
            Version|2.4.56                      |2.4.57

--- Comment #1 from Eric Covener <co...@gmail.com> ---
I think it's expected/longstanding that variables other than %THE_REQUEST have
already been decoded, and that [B] only affects regex back-references. 

For other variables I think you need something like int:escape map.

There was some early discussion about allowing spaces here, but it didn't go
over well.  What eventually consumes this URL?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org