[Bug 1394403] Re: RewriteRule of "^$" is broken
Robie Basak
1394403 at bugs.launchpad.net
Wed Aug 26 13:52:30 UTC 2015
Thanks Wesley, this looks good.
Some minor changes please:
1) Please could you add an Origin: header to the debdiff? Something like
"Origin: upstream,
https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e"
or "Origin: backport,
https://github.com/apache/httpd/commit/f0529e54b8d889322b5113eb623e263556bfa28e"
depending on whether you had to tweak the diff or not. Sorry I didn't
mention this on IRC before - I saw the Closes/LP thing on a quick glance
but I didn't review properly.
2) Please could you note what's going on with the new
DirectoryCheckHandler directive in the debian/changelog entry? In
particular, I think it should answer: should users expect any behaviour
changes when updating and not changing anything; and what users need to
do to fix the bug after the update is applied (set DirectoryCheckHandler
to something?)
3) Given that the directive is being added, it should probably be noted
in the Regression Potential section, along with stating whether default
behaviour is being changed or not, and we should probably add a test
case to the Test Case section to make sure that the path that shouldn't
change is also exercised to ensure that it indeed hasn't changed.
I think I'm asking for 2 and 3 really because I don't feel that I yet
have clarity on exactly which way round the new directive works, and
what expectations are with regard to behaviour changes on the SRU update
(rather than against 2.2). I understand that parity against 2.2 is
needed to fix the bug, but from an SRU and regression perspective it's
behaviour changes on the SRU update itself that I'm bothered about.
Essentially, it comes down to: how are we ensuring that no user will
scream at us for breaking behaviour in pushing this SRU?
I'm sorry that this is a bit more complicated that I originally expected
when I asked you to look at this because of the behaviour issue.
With these changes, assuming it builds and you've tested it then I'm
happy to sponsor an upload. Thanks!
Log from IRC:
11:30 <rbasak> mdeslaur: around? I'm looking at sponsoring bug 1394403 -
as you're looked at it before I'd like your opinion please.
11:30 <ubottu> bug 1394403 in apache2 (Ubuntu Trusty) "RewriteRule of
"^$" is broken" [Medium,Confirmed] https://launchpad.net/bugs/1394403
11:31 <rbasak> when I asked magicalChicken to look at it I didn't
realise the upstream fix would add a configuration directive. But it
looks like it's safe as it defaults to the same behaviour. Had you
considered this already? Does it also look reasonable to you?
11:31 <rbasak> I also think we should include the documentation update
in our backport - better than not having it in the SRU IMHO.
12:10 <mdeslaur> rbasak: I'm ok with the new config option...I've added
options before to packages as security updates, so it's not like we
haven't done it before. The option will change the behaviour though, but
cases where it will break something are unlikely
12:10 <mdeslaur> rbasak: for the documentation, meh...if it were man
pages, I'd push for it...but the static web documentation, meh
12:10 <mdeslaur> rbasak: especially since there are localized versions
of the documentation and we'd only be updating the english version
12:11 <mdeslaur> rbasak: the only thing is perhaps add what the option
is and how the default has changed to the changelog
12:16 <rbasak> mdeslaur: OK. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1394403
Title:
RewriteRule of "^$" is broken
Status in Apache2 Web Server:
Unknown
Status in apache2 package in Ubuntu:
Fix Released
Status in apache2 source package in Trusty:
Confirmed
Bug description:
[Test Case]
Setup
Apache 2.4.7
* mod_rewrite
* mod_ajp
* mod_dir
Tomcat
* Listening on Port 9001
Apache with a .htaccess in the example.net VirtualHost
RewriteEngine On
RewriteRule ^(.*)$ ajp://localhost:9001/$1 [P]
Expected:
Return from Tomcat
HTTP Status 404 - /
Reality:
Return from Tomcat
HTTP Status 404 - /index.html
Workaround for this particular setup was to either disable mod_dir or disable DirectoryIndex in .htaccess.
Or on VirtualHost context use ProxyPass.
ProxyPass / ajp://localhost:9001/
ProxyPassReverse / ajp://localhost:9001/
[Impact]
With DirectoryIndex disabled:
<pre>
[Thu Apr 30 13:55:18.761066 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ ->
[Thu Apr 30 13:55:18.761191 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri ''
[Thu Apr 30 13:55:18.761215 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/'
[Thu Apr 30 13:55:18.761232 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/
[Thu Apr 30 13:55:18.761245 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/
[Thu Apr 30 13:55:18.761259 2015] [rewrite:trace1] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK]
</pre>
With DirectoryIndex enabled:
<pre>
[Thu Apr 30 13:58:37.954876 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ ->
[Thu Apr 30 13:58:37.954930 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri ''
[Thu Apr 30 13:58:37.954947 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/'
[Thu Apr 30 13:58:37.954959 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/
[Thu Apr 30 13:58:37.954968 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/
[Thu Apr 30 13:58:37.954977 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK]
[Thu Apr 30 13:58:37.955023 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/index.html -> index.html
[Thu Apr 30 13:58:37.955036 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri 'index.html'
[Thu Apr 30 13:58:37.955076 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] rewrite 'index.html' -> 'ajp://localhost:9001/index.html'
[Thu Apr 30 13:58:37.955086 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/index.html -> ajp://localhost:9001/index.html
[Thu Apr 30 13:58:37.955094 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/index.html
[Thu Apr 30 13:58:37.955103 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/index.html [OK]
</pre>
[Regression Potential]
As stated on the apache bugtracker
https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10:
"The behavior now seems to be consistent with 2.2, and a rewrite rule
that conflicts with a DirectoryIndex gets applied."
[Original Description]
Ubuntu 14.04LTS x86_64
In apache 2.4.7 there is a bug in mod_dir, in that it does not stop
when the URL has just been rewritten by mod_rewrite.
If you have rewrite rules in .htaccess, ending in a [P] for an
external URL, rule execution should stop and mod_proxy should go and
fetch the given URL. Instead, mod_dir fires another round of rewrite
rule checks as it looks for .../index.html, possibly giving completely
different results (e.g. not fetching from remote site).
http://www.apachelounge.com/Changelog-2.4.html:
...
*) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a
URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
...
http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-
rewrites-twice-my-url
Please backport the for PR53929
(or update apache package to 2.4.9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1394403/+subscriptions
More information about the Ubuntu-sponsors
mailing list