Hi,
On Tue, Sep 10, 2024 at 06:59:51AM +0000, Markus Wollny wrote:
> Package: apache2
> Version: 2.4.62-1~deb12u1
> Severity: important
> X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
>
> Dear Maintainer,
>
> After upgrading apache2 packages, we noticed that our SEO rewriting rules in
> apache2 no longer worked and Tomcat tried to access non-existing file paths
> with URL encoded questionmarks.
>
> I have first noticed that is issue affects Debian 12, but I can confirm that
> it also affects Debian 11, so this happens in oldstable, apache2
> 2.4.62-1~deb11u1, too.
>
> To show the issue, you'll want to enable the following mods:
> a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm rewrite
>
> I have set up a balancer worker in mods-available/proxy_balancer.conf:
> <Proxy balancer://tomcat>
> BalancerMember ajp://localhost:8009 secret=youllneverknow
> </Proxy>
>
> I have narrowed the issue down to using a proxy RewriteRule inside a
> Directory block. So to reproduce, set up
> /etc/apache2/sites-available/000-default.conf like this:
>
> <VirtualHost *:80>
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/html
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
> <Directory "/var/www/html">
> DirectoryIndex index.html
> RewriteEngine On
> RewriteRule ^/?(.*?)$
> balancer://tomcat/demo/index.jsp?rewrite=$1
> [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> </Directory>
> </VirtualHost>
>
> To illustrate the issue, I have set up a simple /demo/ application in Tomcat
> 10, but the problem is caused by the Apache2 webserver, so this part is not
> relevant here.
>
> Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> http://127.0.0.1/foo/bar/?someparam will result in the following request
> being proxied to tomcat, as is expected:
> GET /demo/index.jsp?rewrite=foo/bar/&someparam
>
> After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> GET
> /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
>
> You can see that the complete parameter string is added twice now, with the
> leading ? being escaped the first time around, which in turn causes the path
> to be completely messed up, so Tomcat won't be able to find the file and
> returns a 404 status.
>
> When turning on debug logging in apache2, one can see that the request path
> is still fine during mod_rewrite processing, it only gets broken during
> mod_proxy processing. The issue does not occur, when the RewriteRule is
> placed outside of the Directory block. Unfortunately, this is not a viable
> workaround for us, we really need to be able to use this inside <Directory>
> and we need the full flexibility of mod_rewrite too, so we cannot implement
> the same thing using ProxyPass, either. For now, the only resolution is to
> downgrade the apache2 packages:
>
> apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> apache2-utils=2.4.61-1~deb12u1
>
> After the downgrade, the RewriteRule with the proxy directive is back to
> working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels
> like having to pin the previous apache2 version is not a good solution, but
> upgrading it is not possible until this is fixed.
>
> If I had to guess, this may be caused by the following change:
> mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
> "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
> with BalancerMember(s). PR 69168. [Yann Ylavic]
Can you double-check is this #1079172 and as reported upstream in
https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
Regards,
Salvatore
