I moved from 2.2.21 to 2.2.22 on Fedora 15, and my mod_rewrite commands are no longer parsed when the request is the CONNECT method. It used to be possible and reasonably documented to be able to do rewrites like: RewriteCond %{REQUEST_METHOD} ^connect$ [NC] RewriteCond %{THE_REQUEST} !^connect\ tunnel-([^\ ]+)\.proxymachine\.net:([0-9]+)\ .*$ [NC] RewriteRule ^(.*)$ $1 [F,L] I use code like this to rewrite the uri to point to the tunnel endpoint from a RewriteMap file, and this has worked well for a few years. Even at logging level 9 nothing it produced in 2.2.22. Reverting the mod_rewrite module to 2.2.21 fixes the issue. Although not tested, I suspect httpd-2.2.22/modules/mappers/mod_rewrite.c at line 4268, which returns DECLINED if the uri[0] is not "/". However CONNECT is more likely to have the format "CONNECT the.machine.com:6000", and this contains no "/" characters. In fact attempting a CONNECT with a "/" gives an error very early on in the parse tree. I think the " r->uri[0] != '/' " test should have been guarded with a " r->method_number == M_CONNECT " test, but to be honest I have not tested this except in my head. Could we also add mod_rewrite parsing CONNECT as a regression test? It is so useful but perhaps there are only a few of us making use of it that it would take a while for someone to notice. Thanks. I hope this report was useful. And by the way thanks for all your efforts! Gordon.
The following patch fixes the problem for me. It also gives some logging for future users want to debug similar issues. ----- diff -Npru httpd-2.2.22.orig/modules/mappers/mod_rewrite.c httpd-2.2.22/modules/ mappers/mod_rewrite.c --- httpd-2.2.22.orig/modules/mappers/mod_rewrite.c 2012-01-24 19:39:31.0000 00000 +0000 +++ httpd-2.2.22/modules/mappers/mod_rewrite.c 2012-05-24 14:47:49.949153810 +0 100 @@ -4267,10 +4267,14 @@ static int hook_uri2file(request_rec *r) } if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') - || !r->uri || r->uri[0] != '/') { + || !r->uri || + (r->uri[0] != '/' && r->method_number != M_CONNECT)) { + rewritelog((r, 2, NULL, "uri %s is considered a security risk", + r->uri)); return DECLINED; } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects
Sorry to keep going on... Looking at my patch maybe the rewritelog line needs to be protected against r->uri being null? Probably someone with security knowledge should check this! So maybe: diff -Npru httpd-2.2.22.orig/modules/mappers/mod_rewrite.c httpd-2.2.22/modules/ mappers/mod_rewrite.c --- httpd-2.2.22.orig/modules/mappers/mod_rewrite.c 2012-01-24 19:39:31.0000 00000 +0000 +++ httpd-2.2.22/modules/mappers/mod_rewrite.c 2012-05-24 14:47:49.949153810 +0 100 @@ -4267,10 +4267,14 @@ static int hook_uri2file(request_rec *r) } if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') - || !r->uri || r->uri[0] != '/') { + || !r->uri || + (r->uri[0] != '/' && r->method_number != M_CONNECT)) { + rewritelog((r, 2, NULL, "uri %s is considered a security risk", + r->uri ? r->uri : "<null>")); return DECLINED; } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects
*** This bug has been marked as a duplicate of bug 52774 ***