Received: (qmail 5696 invoked by uid 501); 7 Mar 2001 02:39:35 -0000 Message-Id: <20010307023935.5695.qmail@apache.org> Date: 7 Mar 2001 02:39:35 -0000 From: Greg Ubben Reply-To: gsu@nsa.gov To: submit@bugz.apache.org Subject: mod_rewrite escapes QUERY_STRINGs where it shouldn't X-Send-Pr-Version: 3.110 >Number: 7369 >Category: mod_rewrite >Synopsis: mod_rewrite escapes QUERY_STRINGs where it shouldn't >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Mar 06 18:40:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: gsu@nsa.gov >Release: 1.3.19 >Organization: apache >Environment: Solaris 2.7 on Sun Ultra 10, gcc -O2 (though any environment) >Description: Hello. I believe fix PR#4734 in Apache 1.3.10 ("Make sure mod_rewrite escapes QUERY_STRINGS on redirects") went too far, or was fixed in the wrong place. It breaks a major web infrastructure service we use for directing "virtual" URLs to actual URLs using mod_rewrite's DBM capabilities. Here is our basic mod_rewrite configuration, which runs out of a virtual host (say, urn.bar.com): RewriteEngine on RewriteMap urn dbm:/urn/data/urn-map RewriteMap tolower int:tolower # Map URN to URL if in the table and it's a type mod_rewrite can redirect. # If extra path info given, replace the last component of the URL with it. RewriteCond ${tolower:$1} (.*) RewriteCond ${urn:%1} ^((https?|ftp)://[^?#$|]+)$ RewriteCond %1|$2 ^([^|?]+)(/.*\|)?(/[^|]*) RewriteRule ^/([^/]+)(.*) %1%3 [QSA,R,L] # pass remaining special cases and unknowns up to a CGI to handle RewriteRule ^/(.*) /urn/cgi-bin/goto/$1 [NS,T=application/x-httpd-cgi] For example, if the DBM table has in it: feedback http://foo.bar.com/cgi-bin/feedback.pl and we access this service via the virtual URL: http://urn.bar.com/feedback?to=gsu@bar.com;subject=test+this it used to correctly translate this request and redirect it to: http://foo.bar.com/cgi-bin/feedback.pl?to=gsu@bar.com;subject=test+this However as of Apache 1.3.10, it's turning the ; in the query string into a %3b, causing the resulting access to fail because the final CGI can't parse out the CGI parameters: http://foo.bar.com/cgi-bin/feedback.pl?to=gsu@bar.com%3bsubject=test+this This problem still happens as of Apache 1.3.19. I don't fully understand the original problem report or fix, but I think mod_rewrite should be able to pass an incoming query_string intact on thru to the rewritten URL that it will be redirected to. (Unless I'm missing something.) >How-To-Repeat: Can't give an actual URL as this is on a closed net. See example in description above. Don't think this is related to the DBM stuff, so the example could probably be simplified quite a bit. Probably other characters than semicolon (;) that are also a problem. >Fix: Sorry, mod_rewrite is too complex for me! Maybe original fix was applied in too general a case? (This is a great module by the way -- exactly fit the problem we were trying to solve!) >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]