Apache update breaks booking UI

Bug #1823387 reported by Jeff Davis on 2019-04-05
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

After applying a recent Apache update, attempts to reach the bookings UI in the web client started giving a 404 with "The requested URL /eg/eg/booking/reservation was not found on this server." in the iframe.

On Ubuntu 16.04, upgrading Apache to 2.4.18-2ubuntu3.10 produces the problem, and downgrading to 2.4.18-2ubuntu3 makes it go away. It appears that the Apache fix for CVE-2019-0220 is the culprit. There are other versions of that fix for Ubuntu 14.04, 18.04, and 18.10, so the same problem may exist in those environments (I haven't tested them).

The issue appears to be with how booking URLs are constructed -- they include a hard-coded double-slash which is now treated differently by Apache. I'll share a branch with a proposed fix shortly.

Thanks to Jeff Godin for narrowing down the cause of this issue.

Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1823387-booking-url-double-slash-apache has a potential fix:


Based on some light testing, this appears to work on both current and downgraded versions of Apache (at least on Ubuntu 16.04). It should be more rigorously tested before being committed.

tags: added: booking
Changed in evergreen:
importance: Undecided → High
tags: added: pullrequest
Changed in evergreen:
milestone: none → 3.3.1
Jane Sandberg (sandbej) wrote :

Nice job tracking down this issue, Jeff and Jeff. This fix works for me; signoff branch here: user/sandbergja/lp1823387-booking-url-double-slash-apache

tags: added: signedoff
Galen Charlton (gmc) wrote :

Pushed to master, rel_3_3, rel_3_2, and rel_3_1. Thanks, Jeff, Jeff, and Jane!

Changed in evergreen:
assignee: nobody → Galen Charlton (gmc)
status: New → Fix Committed
assignee: Galen Charlton (gmc) → nobody
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers