Page MenuHomePhorge
Create Task
Maniphest T15889

Apache 2.4.61 throws a 403 Forbidden for links containing %3F
Closed, ResolvedPublic
Actions

Description

Upstreaming from https://phabricator.wikimedia.org/T370110

/var/log/apache2/phabricator_error.log in our installation listed entries like [rewrite:error] [pid 947281:tid 947294] [client redacted] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

This happens since https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?r1=1918560&r2=1918561&pathrev=1918561&diff_format=h introduced due to https://www.cve.org/CVERecord?id=CVE-2024-38474

Revisions and Commits

rP Phorge
D25739rP4da3b096b081 Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule

Event Timeline

aklapper created this task.Jul 22 2024, 21:07
Herald added subscribers: Cigaryno, Matthew, chris, tobiaswiese. · View Herald TranscriptJul 22 2024, 21:07
aklapper added a revision: D25739: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule.Jul 22 2024, 21:11
valerio.bozzolan subscribed.Jul 23 2024, 08:23

Thanks. What happens in older Apache2 versions?

valerio.bozzolan added a comment.EditedJul 23 2024, 08:25

By the way I cannot reproduce in Apache 2.4.61 🤔 Debian package 2.4.61-1~deb12u1

http://phorge.localhost/maniphest/task/edit/form/default/?title=%3f

This just works to me and puts a ? in the title.

My conf:

<VirtualHost *:80>

        ServerName phorge.localhost

        DocumentRoot /var/www/phorge/webroot

        RewriteEngine on
        RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]

        php_admin_value post_max_size 32M

</VirtualHost>
aklapper added a comment.Jul 23 2024, 09:25
In T15889#18536, @valerio.bozzolan wrote:

Thanks. What happens in older Apache2 versions?

Nothing. :) This issue only popped up in our error logs after an Apache update.

In T15889#18537, @valerio.bozzolan wrote:

By the way I cannot reproduce in Apache 2.4.61 🤔 Debian package 2.4.61-1~deb12u1

Huh! In downstream we're still on Bullseye (deb11u1) and not yet on Bookworm (deb12u1).

valerio.bozzolan added a comment.Jul 25 2024, 10:15
In T15889#18557, @aklapper wrote:
In T15889#18536, @valerio.bozzolan wrote:

Thanks. What happens in older Apache2 versions?

Nothing. :) This issue only popped up in our error logs after an Apache update.

I mean, what does it happen when somebody adopts UnsafeAllow3F in older versions that do not support it? If the answer is "it breaks apache" maybe we should add a warning in the documentation.

aklapper closed this task as Resolved by committing rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule.Aug 4 2024, 07:59
aklapper claimed this task.
aklapper added a commit: rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule.
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0