Configuration Guide: Set UnsafeAllow3F for Apache RewriteRule

Summary: Since Apache HTTP Server 2.4.61 including https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?r1=1918560&r2=1918561&pathrev=1918561&diff_format=h due to https://www.cve.org/CVERecord?id=CVE-2024-38474, URIs including %3F throw a HTTP 403 error and the following error log entry: `AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F` Update the corresponding RewriteRule in the Phorge configuration guide to explicitly set UnsafeAllow3F. https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_unsafe_allow_3f Closes T15889 Test Plan: Run Apache HTTP Server 2.4.61, go to https://phorge.localhost/maniphest/task/edit/form/default/?title=%3f and get a HTTP 403 (before) or a "?" as task title (after). Reviewers: O1 Blessed Committers, valerio.bozzolan Reviewed By: O1 Blessed Committers, valerio.bozzolan Subscribers: tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Maniphest Tasks: T15889 Differential Revision: https://we.phorge.it/D25739
2024-11-21 22:32:41 +01:00 · 2024-07-22 23:11:25 +02:00 · 2024-07-22 23:11:25 +02:00 · 4da3b096b0
commit 4da3b096b0
parent 62aaa0fcbe
1 changed files with 1 additions and 1 deletions
--- a/src/docs/user/configuration/configuration_guide.diviner
+++ b/src/docs/user/configuration/configuration_guide.diviner
@ -49,7 +49,7 @@ this:
    DocumentRoot /path/to/phorge/webroot

    RewriteEngine on
-    RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
+    RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA,UnsafeAllow3F]
  </VirtualHost>

 If Apache isn't currently configured to serve documents out of the directory