Ticket #690 (assigned task)

Opened 10 months ago

Last modified 2 months ago

Investigate possible impact of Apache Issue 34602, fixed in Apache HTTP Server 2.2.8, on routing

Reported by: david Owned by: david
Priority: normal Milestone:
Component: routing Version: 0.11.0
Severity: normal Keywords:
Cc: Patch attached: no

Description (last modified by david) (diff)

from http://www.apache.org/dist/httpd/CHANGES_2.2.8: 

  *) mod_rewrite: Add option to suppress URL unescaping
     PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>]

more info: http://issues.apache.org/bugzilla/show_bug.cgi?id=34602

the flag is B

change info: http://marc.info/?t=118925575100001&r=1&w=2

in essence... we will likely need support for that flag.

Attachments

Change History

Changed 10 months ago by david

  • description modified (diff)

Changed 9 months ago by david

Also see http://issues.apache.org/bugzilla/show_bug.cgi?id=39746

We might need conditionals that check for the versions and encode/decode the routing input accordingly. We could also mandate the use of this new B flag for Apache 2.2.8 or higher (or document that people should NEVER use it, or have a switch).

Changed 9 months ago by david

  • type changed from defect to task

Changed 8 months ago by david

  • milestone changed from 0.11.1 to 0.11.2

reassigning to 0.11.2 since it's not urgent at all

Changed 5 months ago by david

  • milestone changed from 0.11.2 to 0.11.3

Changed 3 months ago by david

  • milestone changed from 0.11.3 to 1.0

moving to 1.0 for more detailed inspection of what so far doesn't appear to be a problem

Changed 2 months ago by david

  • status changed from new to assigned
  • milestone changed from 1.0 to 0.11.3

Changed 2 months ago by david

  • milestone 0.11.3 deleted

removing milestone. bug still exists in apache, see https://issues.apache.org/bugzilla/show_bug.cgi?id=45529 - we'll have to wait for it to be really fixed to start playinging around with it.

once it works as advertised, I believe we can take advantage of it and start mandating it in Agavi itself.

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteflags has an example:

'B' (escape backreferences) Apache has to unescape URLs before mapping them, so backreferences will be unescaped at the time they are applied. Using the B flag, non-alphanumeric characters in backreferences will be escaped. For example, consider the rule: 

RewriteRule ^(.*)$ index.php?show=$1

This will map /C++ to index.php?show=/C++. But it will also map /C%2b%2b to index.php?show=/C++, because the %2b has been unescaped. With the B flag, it will instead map to index.php?show=/C%2b%2b.

This escaping is particularly necessary in a proxy situation, when the backend may break if presented with an unescaped URL.

This is something I have observed as well, and I believe it's a real problem, so for an Apache version that has a properly working B flag implementation, we should require people to use the flag. At the moment, there's special code inside AgaviWebRouting to handle this behavior of Apache.

Add/Change #690 (Investigate possible impact of Apache Issue 34602, fixed in Apache HTTP Server 2.2.8, on routing)

Author



Action
as assigned
 
Note: See TracTickets for help on using tickets.