Paths

Table of Contentst

Differential D25739

Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule
ClosedPublic
Actions

Authored by aklapper on Jul 22 2024, 21:11.

Details

Reviewers

valerio.bozzolan

Group Reviewers

O1: Blessed Committers

Maniphest Tasks

T15889: Apache 2.4.61 throws a 403 Forbidden for links containing %3F

Commits

rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule

Summary

Since Apache HTTP Server 2.4.61 including https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?r1=1918560&r2=1918561&pathrev=1918561&diff_format=h due to https://www.cve.org/CVERecord?id=CVE-2024-38474, URIs including %3F throw a HTTP 403 error and the following error log entry:

AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

Update the corresponding RewriteRule in the Phorge configuration guide to explicitly set UnsafeAllow3F.

https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_unsafe_allow_3f

Closes T15889

Test Plan

Run Apache HTTP Server 2.4.61, go to https://phorge.localhost/maniphest/task/edit/form/default/?title=%3f and get a HTTP 403 (before) or a "?" as task title (after).

Diff Detail

Repository

rP Phorge

Branch

apache3F

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 1449
Build 1449: arc lint + arc unit

Event Timeline

aklapper created this revision.Jul 22 2024, 21:11

Owners added a reviewer: O1: Blessed Committers.Jul 22 2024, 21:11

Herald added subscribers: Cigaryno, Matthew, valerio.bozzolan, tobiaswiese. · View Herald TranscriptJul 22 2024, 21:11

aklapper requested review of this revision.Jul 22 2024, 21:11

Harbormaster completed remote builds in B1449: Diff 2262.Jul 22 2024, 21:11

valerio.bozzolan accepted this revision.Aug 2 2024, 14:27

This revision is now accepted and ready to land.Aug 2 2024, 14:27

valerio.bozzolan edited the summary of this revision. (Show Details)Aug 2 2024, 14:28

aklapper edited the summary of this revision. (Show Details)Aug 4 2024, 07:58

aklapper edited the test plan for this revision. (Show Details)

Closed by commit rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule. · Explain WhyAug 4 2024, 07:59

This revision was automatically updated to reflect the committed changes.

aklapper added a commit: rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule.

Revision Contents
Changeset List

Path

Size

Packages

src/

docs/

user/

configuration/

configuration_guide.diviner

2 lines

O1: Blessed Committers

Diff 2262

View Options

src/docs/user/configuration/configuration_guide.diviner

Configuration Guide: Set UnsafeAllow3F for Apache RewriteRuleClosedPublicActions