Correction!
I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.
We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?
From: BUSH Steve <Steven.BUSH@3ds.com>
Sent: Wednesday, March 8, 2023 7:45 PM
To: dev@httpd.apache.org
Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
I just completed upgrading to 2.?4.?56 from 2.?4.?55 and now we are having problems with existing mod_rewrite directives that use parameter substitution: An example of a mod_rewrite declaration we have is: RewriteCond %{REQUEST_METHOD} GET [NC]
ZjQcmQRYFpfptBannerStart
I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems with existing mod_rewrite directives that use parameter substitution:
An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
Our internal test case calls GET
https://SERVER:PORT/zoology/animals/reset/10<
https://urldefense.com/v3/__https:/SERVER:PORT/zoology/animals/reset/10__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxZz_PhN$>
In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with “Number_of_Records” = 10
However, after upgrading to 2.4.56,
The service now returns 403 Forbidden. Calling the mapped service directly works okay.
In this case, the RewriteRule is not associated with mod_proxy and is used for REST service mapping.
The rewrite flags are (
https://httpd.apache.org/docs/2.4/rewrite/flags.html<
https://urldefense.com/v3/__https:/httpd.apache.org/docs/2.4/rewrite/flags.html__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn9W_LAw3$>):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)
It seems to me that the changes to address CVE-2023-25690 have caused unintended side effects?
https://downloads.apache.org/httpd/CHANGES_2.4.56<
https://urldefense.com/v3/__https:/downloads.apache.org/httpd/CHANGES_2.4.56__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxVfkr2d$>
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"<
https://urldefense.com/v3/__http:/example.com:8080/elsewhere?$1*22__;JQ!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn6gkZ4bx$>
http://example.com:8080/elsewhere<
https://urldefense.com/v3/__http:/example.com:8080/elsewhere__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn2C8BrgB$> ; [P]
ProxyPassReverse /here/
http://example.com:8080/<
https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
http://example.com:8080/<
https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe
From: Eric Covener <covener@gmail.com<mailto:covener@gmail.com>>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org<mailto:dev@httpd.apache.org>
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
I am going to call this one early and proceed with the release. 9 binding +1 and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem On Tue, Mar 7, 2023 at 3:?18 AM Ruediger Pluem <rpluem@?apache.?org>
I am going to call this one early and proceed with the release. 9
binding +1 and no other votes.
fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem
On Tue, Mar 7, 2023 at 3:18?AM Ruediger Pluem <rpluem@apache.org<mailto:rpluem@apache.org>> wrote:
>
>
>
> On 3/5/23 10:31 PM, Eric Covener wrote:
> > Hi all,
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> > [X] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> > *httpd-2.4.56-rc1.tar.gz
> > sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> > *httpd-2.4.56-rc1.tar.gz
> >
> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> >
>
> Sigs and Hashes ok
> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3
>
> Regards
>
> Rüdiger
--
Eric Covener
covener@gmail.com<mailto:covener@gmail.com>
This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email and all attachments,
(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.
Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer
https://www.3ds.com/privacy-policy/contact/ This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email and all attachments,
(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.
Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer
https://www.3ds.com/privacy-policy/contact/