usind RewriteRule on proxy to match access to /cosole/ ofapplication server console and to catch xss attack and redirect them outside has a problem using on a virtual host this rewriterule: RewriteRule ^/console/(.*) http://www.mynewdomain.it/$1 [L,P] If I use on my browser http://www.mydomain.it/console/ it works If I use on my browser http://www.mydomain.it/%63%6f%6e%73%6f%6c%65%2f that is the hex format of "console/" it does not match and get an error like "The requested URL /console/ was not found on this server" using hex encoding I could potentially bypass Rewrite Engine rule, and bypass proxy pass rule with result of access to part of site not available to everyone and directory traversal of site or of proxy.
So, why exactly didn't you read/respond to the thread that you raised on users@httpd.apache.org before filing this bug? Anyway, the character '/' is in the RFC 2396 "reserved" set and is therefore not equivalent to its hex encoding. Apache httpd ALWAYS responds with a 404 to requests containing %2f unless AllowEncodedSlashes is set on. Therefore there is no possibility to bypass rewriterules.