Bug 51201 - Strange behavior REQUEST_METHOD & GET in mod_rewrite
Summary: Strange behavior REQUEST_METHOD & GET in mod_rewrite
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.2.15
Hardware: All Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2011-05-15 14:36 UTC by Guillermo Grandes
Modified: 2018-11-07 21:09 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Guillermo Grandes 2011-05-15 14:36:48 UTC
An example (or three), is worth a thousand words :-)

=== Test 1 === FAIL ==========================================
RewriteCond %{REQUEST_METHOD} !^(HEAD|POST|GET)$
RewriteRule (.*) - [L]
# Should not come here
RewriteRule ^/ http://test.localhost/?method=%{REQUEST_METHOD} [R=302,L]

=== Request Test 1:
NONE / HTTP/1.0
Accept: */*
Host: localhost

=== Response Test 1:
HTTP/1.1 302 Found
Date: Sun, 15 May 2011 14:21:34 GMT
Server: Apache
Location: http://test.localhost/?method=GET
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://test.localhost/?method=GET">here</a>.</p>
</body></html>

=== Test 2 === FAIL ==========================================
RewriteCond %{REQUEST_METHOD} !=HEAD
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{REQUEST_METHOD} !=GET
RewriteRule (.*) - [L]
# Should not come here
RewriteRule ^/ http://test.localhost/?method=%{REQUEST_METHOD} [R=302,L]

=== Request Test 2:
NONE / HTTP/1.0
Accept: */*
Host: localhost

=== Response Test 2:
HTTP/1.1 302 Found
Date: Sun, 15 May 2011 14:27:25 GMT
Server: Apache
Location: http://test.localhost/?method=GET
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://test.localhost/?method=GET">here</a>.</p>
</body></html>

=== Test 3 === OK ============================================
RewriteCond %{THE_REQUEST} !^(HEAD|POST|GET)
RewriteRule (.*) - [L]
# Should not come here
RewriteRule ^/ http://test.localhost/?method=%{REQUEST_METHOD} [R=302,L]

=== Request Test 3:
NONE / HTTP/1.0
Accept: */*
Host: localhost

=== Response Test 3:
HTTP/1.1 501 Method Not Implemented
Date: Sun, 15 May 2011 14:30:31 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 93
Connection: close
Content-Type: text/plain

ERROR-501 NOT_IMPLEMENTED

The server does not support the action requested by the browser.

============================================

This is a bug?
Comment 1 Nick Kew 2011-05-15 15:29:57 UTC
Works for me.  This is with 2.2.17, but I can't see anything relevant in the change log since 2.2.15.

Your apache version contains something non-standard (evidenced by the 501 error message and the unhelpful servertokens).  Please tell us what happens when you remove third-party components.

An explanation for what you describe would be that when mod_rewrite performs an internal redirect it's defaulting to GET and ignoring the bogus method.
Comment 2 Guillermo Grandes 2011-05-15 17:28:44 UTC
Thanks Nick,

There is no third-party components, the error you mention is standard core directive "ErrorDocument", a cutted/minimalist english text version of the standard error (HTTP_NOT_IMPLEMENTED.html.var):

ErrorDocument 501 /errors/501.txt

$ cat 501.txt
---- begin ---
ERROR-501 NOT_IMPLEMENTED

The server does not support the action requested by the browser.
---- end -----

==================

He repeated the test 1 & 3, disabling the ErrorDocument directive, the result is different in Test 1, returns 501 instead of 302 (correct behavior):

=== Test 1 === OK ==========================================
RewriteCond %{REQUEST_METHOD} !^(HEAD|POST|GET)$
RewriteRule (.*) - [L]
# Should not come here
RewriteRule ^/ http://test.localhost/?method=%{REQUEST_METHOD} [R=302,L]

=== Request Test 1:
NONE / HTTP/1.0
Accept: */*
Host: localhost

=== Response Test 1:
HTTP/1.1 501 Method Not Implemented
Date: Sun, 15 May 2011 17:01:26 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 206
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>NONE to / not supported.<br />
</p>
</body></html>
Connection closed by foreign host.

=== Test 3 === OK ============================================
RewriteCond %{THE_REQUEST} !^(HEAD|POST|GET)
RewriteRule (.*) - [L]
# Should not come here
RewriteRule ^/ http://test.localhost/?method=%{REQUEST_METHOD} [R=302,L]

=== Request Test 3:
NONE / HTTP/1.0
Accept: */*
Host: localhost

=== Response Test 3:
HTTP/1.1 501 Method Not Implemented
Date: Sun, 15 May 2011 16:53:08 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 206
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>NONE to / not supported.<br />
</p>
</body></html>
============================================

The combination of ErrorDocument & mod_rewrite causes this strange effect... (¿?) Is a bug? or... there is a standard/workarround way for both to coexist?
Comment 3 William A. Rowe Jr. 2018-11-07 21:09:37 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.