Page MenuHomePhorge
Differential D25739

Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule
ClosedPublic
Actions

Authored by aklapper on Jul 22 2024, 21:11.

Details

Reviewers
valerio.bozzolan
Group Reviewers
O1: Blessed Committers
Maniphest Tasks
T15889: Apache 2.4.61 throws a 403 Forbidden for links containing %3F
Commits
rP4da3b096b081: Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule
Summary

Since Apache HTTP Server 2.4.61 including https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?r1=1918560&r2=1918561&pathrev=1918561&diff_format=h due to https://www.cve.org/CVERecord?id=CVE-2024-38474, URIs including %3F throw a HTTP 403 error and the following error log entry:

AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

Update the corresponding RewriteRule in the Phorge configuration guide to explicitly set UnsafeAllow3F.

https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_unsafe_allow_3f

Closes T15889

Test Plan

Run Apache HTTP Server 2.4.61, go to https://phorge.localhost/maniphest/task/edit/form/default/?title=%3f and get a HTTP 403 (before) or a "?" as task title (after).

Diff Detail

Repository
rP Phorge
Branch
apache3F
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 1449
Build 1449: arc lint + arc unit

Revision Contents
Changeset List

PathSizePackages
src/
docs/
user/
configuration/
2 linesO1: Blessed Committers

Diff 2262

View Options

src/docs/user/configuration/configuration_guide.diviner

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0