Regression in apache2 2.4.62-1~deb12u2 (bookworm-security)

Fri, 11 Oct 2024 01:54:33 -0700 

Dear maintainers,

The latest update of apache2 in bookworm-security (2.4.62-1~deb12u2) introduced 
a regression.
Here is the minimal repro I came with.

------------------------------------------------------------
Modules:
  # a2enmod rewrite
  # a2enmod proxy
  # a2enmod proxy_http
------------------------------------------------------------
Apache configuration :
  # cat /etc/apache2/sites-enabled/000-default.conf
  <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine On
        RewriteCond %{THE_REQUEST} "^\S+\s+/(proxy)/(.*) HTTP"
        RewriteRule ^ 
http://127.0.0.1:9010/%1/%2?<http://127.0.0.1:9010/%251/%252?> [P,L,NE,QSL]
  </VirtualHost>

------------------------------------------------------------
(Minimal python server)
# cat server.py
from http.server import *

class Handler(BaseHTTPRequestHandler):
  def do_GET(self):
      self.send_response(200)
      self.end_headers()
      self.wfile.write(b"Hello World!\n")


def run(host='', port=9010, server_class=HTTPServer, handler_class=Handler):
    server_address = (host, port)
    httpd = server_class(server_address, handler_class)
    httpd.serve_forever()

run()
------------------------------------------------------------

Behavior with 2.4.62-1~deb12u2 :

  $ curl -i 'http://127.0.0.1/proxy/test?test'
  HTTP/1.1 403 Forbidden
  Date: Fri, 11 Oct 2024 07:12:50 GMT
  Server: Apache/2.4.62 (Debian)
  Content-Length: 274
  Content-Type: text/html; charset=iso-8859-1

  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p>You don't have permission to access this resource.</p>
  <hr>
  <address>Apache/2.4.62 (Debian) Server at 127.0.0.1 Port 80</address>
  </body></html>

  # tail /var/log/apache2/error.log
  [Fri Oct 11 09:11:55.791476 2024] [rewrite:error] [pid 30266:tid 30269] 
[client 192.168.122.254:53406] AH10508: Unsafe URL with %3f URL rewritten 
without UnsafeAllow3F
  [Fri Oct 11 09:12:50.602381 2024] [rewrite:error] [pid 30267:tid 30275] 
[client 127.0.0.1:55978] AH10508: Unsafe URL with %3f URL rewritten without 
UnsafeAllow3F


Reverting to 2.4.62-1~deb12u1 :

  # v=2.4.62-1~deb12u1; apt install apache2=$v apache2-bin=$v apache2-data=$v 
apache2-utils=$v

  $ curl -i 'http://127.0.0.1/proxy/test?test'
  HTTP/1.1 200 OK
  Date: Fri, 11 Oct 2024 07:15:19 GMT
  Server: BaseHTTP/0.6 Python/3.11.2
  Transfer-Encoding: chunked

  Hello World!


Adding the flag UnsafeAllow3F does make it works as expected, although it does 
not make much sense for me in this example as there is no %3f anywhere here.

note:
I think for our use case, the UnsafeAllow3F flags will be in fact needed 
anyway, the point of this configuration being to not filter/canonise anything 
for this precise reverse proxy.
Thus this workaround might be ok in our case (I’ll check in detail later)


Regards,
Romain Aigron

Reply via email to