[Bug 1394403] Re: RewriteRule of "^$" is broken

Robie Basak 1394403 at bugs.launchpad.net
Wed Aug 26 13:52:30 UTC 2015 

Thanks Wesley, this looks good.

Some minor changes please:

1) Please could you add an Origin: header to the debdiff? Something like
"Origin: upstream,
https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e"
or "Origin: backport,
https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e"
depending on whether you had to tweak the diff or not. Sorry I didn't
mention this on IRC before - I saw the Closes/LP thing on a quick glance
but I didn't review properly.

2) Please could you note what's going on with the new
DirectoryCheckHandler directive in the debian/changelog entry? In
particular, I think it should answer: should users expect any behaviour
changes when updating and not changing anything; and what users need to
do to fix the bug after the update is applied (set DirectoryCheckHandler
to something?)

3) Given that the directive is being added, it should probably be noted
in the Regression Potential section, along with stating whether default
behaviour is being changed or not, and we should probably add a test
case to the Test Case section to make sure that the path that shouldn't
change is also exercised to ensure that it indeed hasn't changed.

I think I'm asking for 2 and 3 really because I don't feel that I yet
have clarity on exactly which way round the new directive works, and
what expectations are with regard to behaviour changes on the SRU update
(rather than against 2.2). I understand that parity against 2.2 is
needed to fix the bug, but from an SRU and regression perspective it's
behaviour changes on the SRU update itself that I'm bothered about.
Essentially, it comes down to: how are we ensuring that no user will
scream at us for breaking behaviour in pushing this SRU?

I'm sorry that this is a bit more complicated that I originally expected
when I asked you to look at this because of the behaviour issue.

With these changes, assuming it builds and you've tested it then I'm
happy to sponsor an upload. Thanks!

Log from IRC:

11:30 <rbasak> mdeslaur: around? I'm looking at sponsoring bug 1394403 -
as you're looked at it before I'd like your opinion please.

11:30 <ubottu> bug 1394403 in apache2 (Ubuntu Trusty) "RewriteRule of
"^$" is broken" [Medium,Confirmed] https://launchpad.net/bugs/1394403

11:31 <rbasak> when I asked magicalChicken to look at it I didn't
realise the upstream fix would add a configuration directive. But it
looks like it's safe as it defaults to the same behaviour. Had you
considered this already? Does it also look reasonable to you?

11:31 <rbasak> I also think we should include the documentation update
in our backport - better than not having it in the SRU IMHO.

12:10 <mdeslaur> rbasak: I'm ok with the new config option...I've added
options before to packages as security updates, so it's not like we
haven't done it before. The option will change the behaviour though, but
cases where it will break something are unlikely

12:10 <mdeslaur> rbasak: for the documentation, meh...if it were man
pages, I'd push for it...but the static web documentation, meh

12:10 <mdeslaur> rbasak: especially since there are localized versions
of the documentation and we'd only be updating the english version

12:11 <mdeslaur> rbasak: the only thing is perhaps add what the option
is and how the default has changed to the changelog

12:16 <rbasak> mdeslaur: OK. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1394403

Title:
  RewriteRule of "^$" is broken

Status in Apache2 Web Server:
  Unknown
Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Trusty:
  Confirmed

Bug description:
  [Test Case]

  Setup
  Apache 2.4.7
  * mod_rewrite
  * mod_ajp
  * mod_dir

  Tomcat
  * Listening on Port 9001

  Apache with a .htaccess in the example.net VirtualHost

    RewriteEngine On
    RewriteRule ^(.*)$ ajp://localhost:9001/$1 [P]

  
  Expected:
  Return from Tomcat

    HTTP Status 404 - /

  Reality:
  Return from Tomcat

    HTTP Status 404 - /index.html

  
  Workaround for this particular setup was to either disable mod_dir or disable DirectoryIndex in .htaccess.

  Or on VirtualHost context use ProxyPass.

    ProxyPass / ajp://localhost:9001/
    ProxyPassReverse / ajp://localhost:9001/

  
  [Impact]

  With DirectoryIndex disabled:
  <pre>
  [Thu Apr 30 13:55:18.761066 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> 
  [Thu Apr 30 13:55:18.761191 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri ''
  [Thu Apr 30 13:55:18.761215 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/'
  [Thu Apr 30 13:55:18.761232 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/
  [Thu Apr 30 13:55:18.761245 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/
  [Thu Apr 30 13:55:18.761259 2015] [rewrite:trace1] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK]
  </pre>

  With DirectoryIndex enabled:
  <pre>
  [Thu Apr 30 13:58:37.954876 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> 
  [Thu Apr 30 13:58:37.954930 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri ''
  [Thu Apr 30 13:58:37.954947 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/'
  [Thu Apr 30 13:58:37.954959 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/
  [Thu Apr 30 13:58:37.954968 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/
  [Thu Apr 30 13:58:37.954977 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK]
  [Thu Apr 30 13:58:37.955023 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/index.html -> index.html
  [Thu Apr 30 13:58:37.955036 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri 'index.html'
  [Thu Apr 30 13:58:37.955076 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] rewrite 'index.html' -> 'ajp://localhost:9001/index.html'
  [Thu Apr 30 13:58:37.955086 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/index.html -> ajp://localhost:9001/index.html
  [Thu Apr 30 13:58:37.955094 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/index.html
  [Thu Apr 30 13:58:37.955103 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/index.html [OK]
  </pre>

  
  [Regression Potential]

  As stated on the apache bugtracker
  https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10:

  "The behavior now seems to be consistent with 2.2, and a rewrite rule
  that conflicts with a DirectoryIndex gets applied."

  [Original Description]
  Ubuntu 14.04LTS x86_64

  In apache 2.4.7 there is a bug in mod_dir, in that it does not stop
  when the URL has just been rewritten by mod_rewrite.

  If you have rewrite rules in .htaccess, ending in a [P] for an
  external URL, rule execution should stop and mod_proxy should go and
  fetch the given URL. Instead, mod_dir fires another round of rewrite
  rule checks as it looks for .../index.html, possibly giving completely
  different results (e.g. not fetching from remote site).

  http://www.apachelounge.com/Changelog-2.4.html:

    ...
    *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a
       URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
    ...

  http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-
  rewrites-twice-my-url

  Please backport the for PR53929
  (or update apache package to 2.4.9)

To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1394403/+subscriptions

More information about the Ubuntu-sponsors mailing list