Index: docs/manual/mod/mod_rewrite.xml
===================================================================
--- docs/manual/mod/mod_rewrite.xml	(revision 1754984)
+++ docs/manual/mod/mod_rewrite.xml	(working copy)
@@ -272,6 +272,25 @@
          supply this extended context info.  Available in 2.4.16 and later.</p>
       </dd>
 
+
+      <dt><code>LegacyPrefixDocRoot</code></dt>
+      <dd>
+
+      <p>Prior to 2.4.24, if a substitution was an absolute URL that matched
+         the current virtual host, the URL might first be reduced to a URL-path
+         and then later reduced to a local path. Since the URL can be reduced 
+         to a local path, the path should be prefixed with the document root. 
+         This prevents a file such as /tmp/myfile from being accessed when a 
+         request is made to http://host/file/myfile with the following 
+         <directive module="mod_rewrite">RewriteRule</directive>.</p>
+      <highlight language="config">
+          RewriteRule /file/(.*) http://localhost/tmp/$1
+      </highlight>
+      <p>This option allows the old behavior to be used where the document
+         root is not prefixed to a local path that was reduced from a 
+         URL.  Available in 2.4.24 and later.</p>
+      </dd>
+
       </dl>
 </usage>
 
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c	(revision 1754984)
+++ modules/mappers/mod_rewrite.c	(working copy)
@@ -202,6 +202,7 @@
 #define OPTION_INHERIT_DOWN_BEFORE  (1<<7)
 #define OPTION_IGNORE_INHERIT       (1<<8)
 #define OPTION_IGNORE_CONTEXT_INFO  (1<<9)
+#define OPTION_LEGACY_PREFIX_DOCROOT (1<<10)
 
 #ifndef RAND_MAX
 #define RAND_MAX 32767
@@ -870,8 +871,15 @@
 
         /* now check whether we could reduce it to a local path... */
         if (ap_matches_request_vhost(r, host, port)) {
+            rewrite_server_conf *conf = 
+                ap_get_module_config(r->server->module_config, &rewrite_module);
             rewritelog((r, 3, NULL, "reduce %s -> %s", r->filename, url));
             r->filename = apr_pstrdup(r->pool, url);
+
+            /* remember that the uri was reduced */
+            if(!(conf->options & OPTION_LEGACY_PREFIX_DOCROOT)) {
+                apr_table_setn(r->notes, "mod_rewrite_uri_reduced", "true");
+            }
         }
     }
 
@@ -3026,6 +3034,9 @@
         else if (!strcasecmp(w, "ignorecontextinfo")) {
             options |= OPTION_IGNORE_CONTEXT_INFO;
         }
+        else if (!strcasecmp(w, "legacyprefixdocroot")) {
+            options |= OPTION_LEGACY_PREFIX_DOCROOT;
+        }
         else {
             return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
                                w, "'", NULL);
@@ -4793,6 +4804,7 @@
         }
         else {
             /* it was finally rewritten to a local path */
+            const char *uri_reduced = NULL;
 
             /* expand "/~user" prefix */
 #if APR_HAS_USER
@@ -4828,7 +4840,12 @@
              * because we only do stat() on the first directory
              * and this gets cached by the kernel for along time!
              */
-            if (!prefix_stat(r->filename, r->pool)) {
+
+            if(!(conf->options & OPTION_LEGACY_PREFIX_DOCROOT)) {
+                uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced");
+            }
+
+            if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) {
                 int res;
                 char *tmp = r->uri;