Hi,
On Tue, Sep 10, 2024 at 05:07:29PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Sep 10, 2024 at 06:59:51AM +0000, Markus Wollny wrote:
> > Package: apache2
> > Version: 2.4.62-1~deb12u1
> > Severity: important
> > X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
> >
> > Dear Maintainer,
> >
> > After upgrading apache2 packages, we noticed that our SEO rewriting rules
> > in apache2 no longer worked and Tomcat tried to access non-existing file
> > paths with URL encoded questionmarks.
> >
> > I have first noticed that is issue affects Debian 12, but I can confirm
> > that it also affects Debian 11, so this happens in oldstable, apache2
> > 2.4.62-1~deb11u1, too.
> >
> > To show the issue, you'll want to enable the following mods:
> > a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm
> > rewrite
> >
> > I have set up a balancer worker in mods-available/proxy_balancer.conf:
> > <Proxy balancer://tomcat>
> > BalancerMember ajp://localhost:8009 secret=youllneverknow
> > </Proxy>
> >
> > I have narrowed the issue down to using a proxy RewriteRule inside a
> > Directory block. So to reproduce, set up
> > /etc/apache2/sites-available/000-default.conf like this:
> >
> > <VirtualHost *:80>
> > ServerAdmin webmaster@localhost
> > DocumentRoot /var/www/html
> >
> > ErrorLog ${APACHE_LOG_DIR}/error.log
> > CustomLog ${APACHE_LOG_DIR}/access.log combined
> >
> > <Directory "/var/www/html">
> > DirectoryIndex index.html
> > RewriteEngine On
> > RewriteRule ^/?(.*?)$
> > balancer://tomcat/demo/index.jsp?rewrite=$1
> > [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> > </Directory>
> > </VirtualHost>
> >
> > To illustrate the issue, I have set up a simple /demo/ application in
> > Tomcat 10, but the problem is caused by the Apache2 webserver, so this part
> > is not relevant here.
> >
> > Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> > http://127.0.0.1/foo/bar/?someparam will result in the following request
> > being proxied to tomcat, as is expected:
> > GET /demo/index.jsp?rewrite=foo/bar/&someparam
> >
> > After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> > GET
> > /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
> >
> > You can see that the complete parameter string is added twice now, with the
> > leading ? being escaped the first time around, which in turn causes the
> > path to be completely messed up, so Tomcat won't be able to find the file
> > and returns a 404 status.
> >
> > When turning on debug logging in apache2, one can see that the request path
> > is still fine during mod_rewrite processing, it only gets broken during
> > mod_proxy processing. The issue does not occur, when the RewriteRule is
> > placed outside of the Directory block. Unfortunately, this is not a viable
> > workaround for us, we really need to be able to use this inside <Directory>
> > and we need the full flexibility of mod_rewrite too, so we cannot implement
> > the same thing using ProxyPass, either. For now, the only resolution is to
> > downgrade the apache2 packages:
> >
> > apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> > apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> > apache2-utils=2.4.61-1~deb12u1
> >
> > After the downgrade, the RewriteRule with the proxy directive is back to
> > working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels
> > like having to pin the previous apache2 version is not a good solution, but
> > upgrading it is not possible until this is fixed.
> >
> > If I had to guess, this may be caused by the following change:
> > mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
> > "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
> > with BalancerMember(s). PR 69168. [Yann Ylavic]
>
> Can you double-check is this #1079172 and as reported upstream in
> https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
Actually after a quick discussion with Bastien, he pointed out to
https://bz.apache.org/bugzilla/show_bug.cgi?id=69241 .
Regards,
Salvatore
