Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C59229CEE for ; Fri, 23 Mar 2012 17:12:31 +0000 (UTC) Received: (qmail 86774 invoked by uid 500); 23 Mar 2012 17:12:31 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 86718 invoked by uid 500); 23 Mar 2012 17:12:30 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 86708 invoked by uid 99); 23 Mar 2012 17:12:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Mar 2012 17:12:30 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rainer.jung@kippdata.de designates 195.227.30.149 as permitted sender) Received: from [195.227.30.149] (HELO mailserver.kippdata.de) (195.227.30.149) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Mar 2012 17:12:23 +0000 Received: from [10.0.110.6] ([192.168.2.104]) by mailserver.kippdata.de (8.13.5/8.13.5) with ESMTP id q2NHC2bx006461 for ; Fri, 23 Mar 2012 18:12:02 +0100 (CET) Message-ID: <4F6CAEDF.4080208@kippdata.de> Date: Fri, 23 Mar 2012 18:11:59 +0100 From: Rainer Jung User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Fix for CVE-2011-4317 broke RewriteRule in forward proxy? References: <4F6CAC3D.3080807@kippdata.de> In-Reply-To: <4F6CAC3D.3080807@kippdata.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org It should be RewriteRule not RewriteMap in my previous mail. I simplified the config to a single RewriteRule but forgot to adjst subject and intro of my mail. The problem remains the same. On 23.03.2012 18:00, Rainer Jung wrote: > It seems using a rewrite map in a forward proxy is broken in 2.2.22. It > was working until 2.2.21. The problem is the fix for CVE-2011-4317 which > returns DECLINED in hook_uri2file() in mod_rewrite. > > The config is roughly: > > Listen 3128 > > > ProxyRequests on > RewriteEngine on > > RewriteRule http://myserver.example.com/dummy.txt > /opt/apache/htdocs/dummy.txt > > > > The actual config is more complex, but the above suffices to reproduce. > > In case you wonder why one would want to do that: the real config has a > list of rewrite rules (actually a rewrite map) containing URLs of large > files which have been deployed directly on the forward proxy and should > not be proxied, instead be delivered from the local file system. > > The actual rules then have a part that fall back to normal proxying any > URL, which is not handled by the rewrite rules. I ommitted these here, > because they are not relevant for reproduction. > > I added a log statement and it is indeed the new "return DECLINED" we > have backported from trunk in 2.2.22. The triggering case is that the > uri does not start with a "/". > > Test case: > > curl -x localhost:3128 http://myserver.example.com/dummy.txt > > Expected result: getting the file /opt/data/dummy.txt > Actual result: The RewriteMap is not being called, instead the fallback > config I removed here is executed and the file is retrieved from the > origin server > > Any idea how to fix? Or do you think this is correct behaviour? > > Regards, > > Rainer -- kippdata informationstechnologie GmbH Tel: 0228 98549 -0 Bornheimer Str. 33a Fax: 0228 98549 -50 53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Gesch�ftsf�hrer: Dr. Thomas H�fer, Rainer Jung, Sven Maurmann