You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2023/04/11 19:21:31 UTC
[Bug 66563] New: REQUEST_URI characters are not URL encoded when used within RewriteRule
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
Bug ID: 66563
Summary: REQUEST_URI characters are not URL encoded when used
within RewriteRule
Product: Apache httpd-2
Version: 2.4.56
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_rewrite
Assignee: bugs@httpd.apache.org
Reporter: mazer1310@gmail.com
Target Milestone: ---
When REQUEST_URI is used within a mod_rewrite RewriteRule such as:
RewriteRule "^/dev/test/(.*)$" "/search?q=$1&origin=%{REQUEST_URI}"
[B,PT,L,QSA]
RewriteRule "^/dev/test2/(.*)$" "/search?q=$1" [B,PT,L,QSA]
The REQUEST_URI portion does not appear to be correctly escaped. As a result,
starting with httpd 2.4.57, the following fails with 403 Forbidden due to the
newly introduced restrictions on spaces in the mapped target URL for
RewriteRules:
/dev/test/foo%20bar (ERROR: 403. Log message includes "AH10410: Rewritten
query string contains control characters or spaces")
whereas
/srb/test2/foo%20bar works as expected (200)
Although I only tested %{REQUEST_URI} in this context, I suspect that other
mod_rewrite Server-Variables are likely affected as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #4 from Eric Covener <co...@gmail.com> ---
Thanks for the feedback, I made a similar update where the variables are talked
about and once again in the [B] flag section
http://svn.apache.org/viewvc?view=revision&revision=1909075
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
--- Comment #3 from Steven Bush <ma...@gmail.com> ---
Ok, that worked successfully. I was able to get it working with:
RewriteMap esc int:escape
RewriteRule "^/dev/test/(.*)$" "/search?q=$1&origin=${esc:%{REQUEST_URI}}"
[B,PT,L,QSA]
I would suggest perhaps adding some text to the mod_rewrite documentation for
RewriteRule, but otherwise this issue can be closed.
Something along these lines for the docs:
EXISTING:
In addition to plain text, the Substitution string can include
back-references ($N) to the RewriteRule pattern
back-references (%N) to the last matched RewriteCond pattern
server-variables as in rule condition test-strings (%{VARNAME})
mapping-function calls (${mapname:key|default})
Back-references are identifiers of the form $N (N=0..9), which will be replaced
by the contents of the Nth group of the matched Pattern. The server-variables
are the same as for the TestString of a RewriteCond directive. The
mapping-functions come from the RewriteMap directive and are explained there.
These three types of variables are expanded in the order above.
PROPOSED: Although the B and related flags escape back-references,
server-variables are not similarly escaped. Instead, use the RewriteMap
internal functions to escape the server-variables as needed.
Meanwhile, Thank you for the quick response!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
--- Comment #2 from Steven Bush <ma...@gmail.com> ---
>> There was some early discussion about allowing spaces here, but it didn't go over well. What eventually consumes this URL? <<
The original service that caused problems for us (not the stripped down sample
that I provided) is consumed by a service that internally determines it's
output based on the origin. In essence, three different services are handled
by a single implementation based on the origin path.
The problem is that mod_rewrite allows server-variables (such as REQUEST_URI)
as a substitutions within the RewriteRule target URL, but those might not be
properly URL encoded, and unlike the back references, there isn't any option to
escape the characters safely.
I was hoping I could go back to the service developer and say, "using
REQUEST_URI in this way is not supported by mod_rewrite.". However, when I
looked at the RewriteRule documentation, I found this bit of text which
unfortunately indicates that server-variables are supported:
https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule
>>In addition to plain text, the Substitution string can include
>>back-references ($N) to the RewriteRule pattern
>>back-references (%N) to the last matched RewriteCond pattern
>>server-variables as in rule condition test-strings (%{VARNAME})
>>mapping-function calls (${mapname:key|default})
I'll give a try to using the RewriteMap internal functions and see if that
sorts this out and I'll comment again once I have it tested.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66563] REQUEST_URI characters are not URL encoded when used within RewriteRule
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66563
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
Version|2.4.56 |2.4.57
--- Comment #1 from Eric Covener <co...@gmail.com> ---
I think it's expected/longstanding that variables other than %THE_REQUEST have
already been decoded, and that [B] only affects regex back-references.
For other variables I think you need something like int:escape map.
There was some early discussion about allowing spaces here, but it didn't go
over well. What eventually consumes this URL?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org