You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Greg Ubben <gs...@nsa.gov> on 2001/03/07 03:39:35 UTC
mod_rewrite/7369: mod_rewrite escapes QUERY_STRINGs where it shouldn't
>Number: 7369
>Category: mod_rewrite
>Synopsis: mod_rewrite escapes QUERY_STRINGs where it shouldn't
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Mar 06 18:40:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: gsu@nsa.gov
>Release: 1.3.19
>Organization:
apache
>Environment:
Solaris 2.7 on Sun Ultra 10, gcc -O2 (though any environment)
>Description:
Hello. I believe fix PR#4734 in Apache 1.3.10 ("Make sure mod_rewrite escapes
QUERY_STRINGS on redirects") went too far, or was fixed in the wrong place.
It breaks a major web infrastructure service we use for directing "virtual"
URLs to actual URLs using mod_rewrite's DBM capabilities. Here is our
basic mod_rewrite configuration, which runs out of a virtual host
(say, urn.bar.com):
RewriteEngine on
RewriteMap urn dbm:/urn/data/urn-map
RewriteMap tolower int:tolower
# Map URN to URL if in the table and it's a type mod_rewrite can redirect.
# If extra path info given, replace the last component of the URL with it.
RewriteCond ${tolower:$1} (.*)
RewriteCond ${urn:%1} ^((https?|ftp)://[^?#$|]+)$
RewriteCond %1|$2 ^([^|?]+)(/.*\|)?(/[^|]*)
RewriteRule ^/([^/]+)(.*) %1%3 [QSA,R,L]
# pass remaining special cases and unknowns up to a CGI to handle
RewriteRule ^/(.*) /urn/cgi-bin/goto/$1 [NS,T=application/x-httpd-cgi]
For example, if the DBM table has in it:
feedback http://foo.bar.com/cgi-bin/feedback.pl
and we access this service via the virtual URL:
http://urn.bar.com/feedback?to=gsu@bar.com;subject=test+this
it used to correctly translate this request and redirect it to:
http://foo.bar.com/cgi-bin/feedback.pl?to=gsu@bar.com;subject=test+this
However as of Apache 1.3.10, it's turning the ; in the query string into
a %3b, causing the resulting access to fail because the final CGI can't
parse out the CGI parameters:
http://foo.bar.com/cgi-bin/feedback.pl?to=gsu@bar.com%3bsubject=test+this
This problem still happens as of Apache 1.3.19. I don't fully understand the
original problem report or fix, but I think mod_rewrite should be able to
pass an incoming query_string intact on thru to the rewritten URL that it
will be redirected to. (Unless I'm missing something.)
>How-To-Repeat:
Can't give an actual URL as this is on a closed net. See example in
description above. Don't think this is related to the DBM stuff, so
the example could probably be simplified quite a bit. Probably other
characters than semicolon (;) that are also a problem.
>Fix:
Sorry, mod_rewrite is too complex for me! Maybe original fix was applied
in too general a case? (This is a great module by the way -- exactly fit
the problem we were trying to solve!)
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]