Mailing List Archive

> On Mar 5, 2023, at 1:31 PM, Eric Covener <covener@gmail.com> wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!

Verified sigs, compiled and installed locally (Macbook Pro M1, macos Ventura 13.2.1),
and tested around the relevant changes. Everything looks good.

+1 for release.

....Roy T. Fielding

On Sun, Mar 5, 2023 at 4:31?PM Eric Covener <covener@gmail.com> wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [x] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

my +1 on ubuntu

> Am 05.03.2023 um 22:31 schrieb Eric Covener <covener@gmail.com>:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
>
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.

+1

Darwin xxx 22.3.0 Darwin Kernel Version 22.3.0 (macOS ventura x86_64)

Thanks for RMing,

Stefan


>
> --
> Eric Covener
> covener@gmail.com

On 3/5/23 22:31, Eric Covener wrote:
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
>
+1
tested on Fedora 37 and OpenBSD 7.2 and 7.3-beta
Giovanni

On Sun, Mar 5, 2023 at 10:31 PM Eric Covener <covener@gmail.com> wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

+1: It's not just good, it's good enough!

All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing.

Regards;
Yann.

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[x] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

+1

On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote:
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1, tests pass on RHEL 8+9 (x86_64), sigs good, thanks for RMing.

Seems there is some tweak required to get Actions to work for a tag
which I will look into.

Regards, Joe

+1 All looks fine on Windows.

> Op 5 mrt. 2023 om 22:32 heeft Eric Covener <covener@gmail.com> het volgende geschreven:
>
> ?Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
>
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
>
> --
> Eric Covener
> covener@gmail.com

On 3/5/23 10:31 PM, Eric Covener wrote:
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
>
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
>

Sigs and Hashes ok
Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

Regards

Rüdiger

I am going to call this one early and proceed with the release. 9
binding +1 and no other votes.

fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem

On Tue, Mar 7, 2023 at 3:18?AM Ruediger Pluem <rpluem@apache.org> wrote:
>
>
>
> On 3/5/23 10:31 PM, Eric Covener wrote:
> > Hi all,
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> > [X] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> > *httpd-2.4.56-rc1.tar.gz
> > sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> > *httpd-2.4.56-rc1.tar.gz
> >
> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> >
>
> Sigs and Hashes ok
> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3
>
> Regards
>
> Rüdiger



--
Eric Covener
covener@gmail.com

Please remember to send the release announcement to announce@httpd.apache.org

From: Eric Covener <covener@gmail.com>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem On Tue, Mar 7, 2023 at 3:?18 AM Ruediger Pluem <rpluem@?apache.?org>


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18?AM Ruediger Pluem <rpluem@apache.org<mailto:rpluem@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

covener@gmail.com<mailto:covener@gmail.com>

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

On Wed, Mar 8, 2023 at 4:57?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:

> Please remember to send the release announcement to announce@httpd.apache.org

Maybe a moderation issue? Can anyone with the proper hat help check it
out please?

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET https://SERVER:PORT/zoology/animals/reset/10

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with “Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden. Calling the mapped service directly works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for REST service mapping.
The rewrite flags are (https://httpd.apache.org/docs/2.4/rewrite/flags.html):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"
http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/ http://example.com:8080/
http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe



From: Eric Covener <covener@gmail.com>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem On Tue, Mar 7, 2023 at 3:?18 AM Ruediger Pluem <rpluem@?apache.?org>


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18?AM Ruediger Pluem <rpluem@apache.org<mailto:rpluem@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

covener@gmail.com<mailto:covener@gmail.com>

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

Correction!
I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?


From: BUSH Steve <Steven.BUSH@3ds.com>
Sent: Wednesday, March 8, 2023 7:45 PM
To: dev@httpd.apache.org
Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I just completed upgrading to 2.?4.?56 from 2.?4.?55 and now we are having problems with existing mod_rewrite directives that use parameter substitution: An example of a mod_rewrite declaration we have is: RewriteCond %{REQUEST_METHOD} GET [NC]
ZjQcmQRYFpfptBannerStart

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET https://SERVER:PORT/zoology/animals/reset/10<https://urldefense.com/v3/__https:/SERVER:PORT/zoology/animals/reset/10__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxZz_PhN$>

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with “Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden. Calling the mapped service directly works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for REST service mapping.
The rewrite flags are (https://httpd.apache.org/docs/2.4/rewrite/flags.html<https://urldefense.com/v3/__https:/httpd.apache.org/docs/2.4/rewrite/flags.html__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn9W_LAw3$>):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56<https://urldefense.com/v3/__https:/downloads.apache.org/httpd/CHANGES_2.4.56__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxVfkr2d$>
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"<https://urldefense.com/v3/__http:/example.com:8080/elsewhere?$1*22__;JQ!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn6gkZ4bx$>
http://example.com:8080/elsewhere<https://urldefense.com/v3/__http:/example.com:8080/elsewhere__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn2C8BrgB$> ; [P]
ProxyPassReverse /here/ http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe



From: Eric Covener <covener@gmail.com<mailto:covener@gmail.com>>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org<mailto:dev@httpd.apache.org>
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem On Tue, Mar 7, 2023 at 3:?18 AM Ruediger Pluem <rpluem@?apache.?org>


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18?AM Ruediger Pluem <rpluem@apache.org<mailto:rpluem@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

covener@gmail.com<mailto:covener@gmail.com>

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/



This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:

> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once
> it is converted to the apache httpd.conf format, the actual rule appears in
> the httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of
> Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>

Thanks for the report. Time will tell, but I think this is a very fringe
case. The space isn't a backreference (where `B` would have fixed it) and a
literal with a space in the substitution has to be quite rare (famous last
words)

> I just looked at the mod_rewrite.c source differences from 2.4.55 to
> 2.4.56 and it’s clear that the use of spaces in the query string of the
> mapped URL are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for
> us, but it might be worth updating the mod_rewrite documentation on this?
>
>
>
Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the
error_log entry. Did this produce the new AH10410?

> Am 08.03.2023 um 23:38 schrieb Eric Covener <covener@gmail.com>:
>
> On Wed, Mar 8, 2023 at 4:57?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:
>
>> Please remember to send the release announcement to announce@httpd.apache.org
>
> Maybe a moderation issue? Can anyone with the proper hat help check it
> out please?

In the releases I did, announce@ did *always* show delayed/lost processing of messages. It's not one of infras better services...

On 3/9/23 05:30, Eric Covener wrote:
>
>
> On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com <mailto:Steven.BUSH@3ds.com>> wrote:
>
> Correction!____
>
> I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:____
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>
>
> Thanks for the report.   Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)

I wonder how many websites might have a snippet similar to:

RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

Giovanni


>
> I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.____
>
> __ __
>
> We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?____
>
>
>
> Maybe we can slip an additional entry into the changelog.
> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?
>
>

On Thu, Mar 9, 2023 at 12:14?PM <giovanni@paclan.it> wrote:
>
> On 3/9/23 05:30, Eric Covener wrote:
> >
> >
> > On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com <mailto:Steven.BUSH@3ds.com>> wrote:
> >
> > Correction!____
> >
> > I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:____
> >
> > RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >
> >
> > Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)
>
> I wonder how many websites might have a snippet similar to:
>
> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

I do worry about this style a lot more, especially with how much of a
pain [B] has been for me in the past.
I think we can wait and see and only look for more problematic
characters in the mod_rewrite.c change.

On Thu, 9 Mar 2023, Eric Covener wrote:

> On Thu, Mar 9, 2023 at 12:14?PM <giovanni@paclan.it> wrote:
>>
>> On 3/9/23 05:30, Eric Covener wrote:
>>>
>>>
>>> On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com <mailto:Steven.BUSH@3ds.com>> wrote:
>>>
>>> Correction!____
>>>
>>> I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:____
>>>
>>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>>>
>>>
>>> Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)
>>
>> I wonder how many websites might have a snippet similar to:
>>
>> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]
>
> I do worry about this style a lot more, especially with how much of a
> pain [B] has been for me in the past.
> I think we can wait and see and only look for more problematic
> characters in the mod_rewrite.c change.

I use a bit historically a rule principally like

RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]

With httpd-2.4.56 now all requests using file names containing a space are
blocked (403 Forbidden) with the according error log entry

AH10410: Rewritten query string contains control characters or spaces

The called CGI application tries to handle "bad" characters itself so from
my egoistic point of view at least spaces should be allowed here (may be
by an extra directive).

In my case, the only but unsatisfactory workaround I have found so far
would be to replace the affected spaces with %2520.

Jens

Or use [B], while being aware of the drawbacks.

On Thu, Mar 9, 2023 at 2:38?PM Fossies Administrator <
Jens.Schleusener@fossies.org> wrote:

> On Thu, 9 Mar 2023, Eric Covener wrote:
>
> > On Thu, Mar 9, 2023 at 12:14?PM <giovanni@paclan.it> wrote:
> >>
> >> On 3/9/23 05:30, Eric Covener wrote:
> >>>
> >>>
> >>> On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com
> <mailto:Steven.BUSH@3ds.com>> wrote:
> >>>
> >>> Correction!____
> >>>
> >>> I used our test template for the rule when I e-mailed just now,
> but once it is converted to the apache httpd.conf format, the actual rule
> appears in the httpd.conf as:____
> >>>
> >>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number
> of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >>>
> >>>
> >>> Thanks for the report. Time will tell, but I think this is a very
> fringe case. The space isn't a backreference (where `B` would have fixed
> it) and a literal with a space in the substitution has to be quite rare
> (famous last words)
> >>
> >> I wonder how many websites might have a snippet similar to:
> >>
> >> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]
> >
> > I do worry about this style a lot more, especially with how much of a
> > pain [B] has been for me in the past.
> > I think we can wait and see and only look for more problematic
> > characters in the mod_rewrite.c change.
>
> I use a bit historically a rule principally like
>
> RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]
>
> With httpd-2.4.56 now all requests using file names containing a space are
> blocked (403 Forbidden) with the according error log entry
>
> AH10410: Rewritten query string contains control characters or spaces
>
> The called CGI application tries to handle "bad" characters itself so from
> my egoistic point of view at least spaces should be allowed here (may be
> by an extra directive).
>
> In my case, the only but unsatisfactory workaround I have found so far
> would be to replace the affected spaces with %2520.
>
> Jens

>> Maybe we can slip an additional entry into the changelog.
>> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?

Yes, the error log did include the AH10410 message.

URL encoding the spaces either as \%20 (path or query string) or + (query string) does eliminate the problem for our mappings.

From: Eric Covener <covener@gmail.com>
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 11:?02 PM BUSH Steve <Steven.?BUSH@?3ds.?com> wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.?conf format, the actual rule appears in the
ZjQcmQR
YFpfptBannerEnd

On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com<mailto:Steven.BUSH@3ds.com>> wrote:
Correction!
I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)
I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?


Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?



This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff

(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:
>
> >> Maybe we can slip an additional entry into the changelog.
>
> >> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?
>
>
>
> Yes, the error log did include the AH10410 message.
>
>
>
> URL encoding the spaces either as \%20 (path or query string) or + (query string) does eliminate the problem for our mappings.
>
>
>
> From: Eric Covener <covener@gmail.com>
> Sent: Wednesday, March 8, 2023 8:31 PM
> To: dev@httpd.apache.org
> Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
>
>
>
> On Wed, Mar 8, 2023 at 11:?02 PM BUSH Steve <Steven.?BUSH@?3ds.?com> wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.?conf format, the actual rule appears in the
>
> ZjQcmQR
>
> YFpfptBannerEnd
>
>
>
> On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:
>
> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>
>
>
> Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)
>
> I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?
>
>
>
>
>
> Maybe we can slip an additional entry into the changelog.
>
> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?
>
>
>
>
>
> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.
>
> If you are not one of the named recipients or have received this email in error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply email and delete this email and all attachments,
>
> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.
>
>
> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/
>
>


--
Eric Covener
covener@gmail.com

On Fri, 10 Mar 2023, Eric Covener wrote:

> Saw another report on users@
>
> Any thoughts on something like this to just allow spaces?
> http://people.apache.org/~covener/patches/rewrite-lax.diff
>
> (this is off my $bigco fork so may not actually apply)
>
> On Thu, Mar 9, 2023 at 3:08?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:
>>
>>>> Maybe we can slip an additional entry into the changelog.
>>
>>>> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?
>>
>>
>>
>> Yes, the error log did include the AH10410 message.
>>
>>
>>
>> URL encoding the spaces either as \%20 (path or query string) or + (query string) does eliminate the problem for our mappings.
>>
>>
>>
>> From: Eric Covener <covener@gmail.com>
>> Sent: Wednesday, March 8, 2023 8:31 PM
>> To: dev@httpd.apache.org
>> Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
>>
>>
>>
>> On Wed, Mar 8, 2023 at 11:?02 PM BUSH Steve <Steven.?BUSH@?3ds.?com> wrote: Correction! I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.?conf format, the actual rule appears in the
>>
>> ZjQcmQR
>>
>> YFpfptBannerEnd
>>
>>
>>
>> On Wed, Mar 8, 2023 at 11:02?PM BUSH Steve <Steven.BUSH@3ds.com> wrote:
>>
>> Correction!
>>
>> I used our test template for the rule when I e-mailed just now, but once it is converted to the apache httpd.conf format, the actual rule appears in the httpd.conf as:
>>
>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>>
>>
>>
>> Thanks for the report. Time will tell, but I think this is a very fringe case. The space isn't a backreference (where `B` would have fixed it) and a literal with a space in the substitution has to be quite rare (famous last words)
>>
>> I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and it’s clear that the use of spaces in the query string of the mapped URL are the cause of the 403 forbidden messages.
>>
>>
>>
>> We can update our httpd.conf mapping code, so it won’t be a problem for us, but it might be worth updating the mod_rewrite documentation on this?
>>
>>
>>
>>
>>
>> Maybe we can slip an additional entry into the changelog.
>>
>> I think in this case, for now at least, we'd primarily rely on the error_log entry. Did this produce the new AH10410?
>>
>>
>>
>>
>>
>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.
>>
>> If you are not one of the named recipients or have received this email in error,
>>
>> (i) you should not read, disclose, or copy it,
>>
>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments,
>>
>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.
>>
>>
>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

I found now in https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_b
that the RewriteRule flag B allows also to specify special characters to
be escaped:

In 2.4.26 and later, you can limit the escaping to specific characters in
backreferences by listing them: [B=#?;]. Note: The space character can be
used in the list of characters to escape, but it cannot be the last
character in the list.

At first I had problems to specify a space character but I found that
escaping them helps. To circumvent the above mentioned restriction
regarding the space character I used as a hack simply two ones so using
the additionally flag

[B=\ \ ]

helped at least in my case as workaround (but not yet properly tested for
side effects).

Jens

On Fri, Mar 10, 2023 at 4:34?PM Eric Covener <covener@gmail.com> wrote:
>
> Saw another report on users@
>
> Any thoughts on something like this to just allow spaces?
> http://people.apache.org/~covener/patches/rewrite-lax.diff

What about:

Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1908254)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
apr_size_t flen;
int to_proxyreq;

- if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ if (rulestatus == ACTION_NOESCAPE
+ && r->args && *(ap_scan_vchar_obstext(r->args))) {
/*
* We have a raw control character or a ' ' in r->args.
* Correct encoding was missed.
?

Regards;
Yann.