Apache update breaks booking UI
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Fix Released
|
High
|
Unassigned | ||
| 3.1 |
Fix Released
|
High
|
Unassigned | ||
| 3.2 |
Fix Released
|
High
|
Unassigned | ||
Bug Description
After applying a recent Apache update, attempts to reach the bookings UI in the web client started giving a 404 with "The requested URL /eg/eg/
On Ubuntu 16.04, upgrading Apache to 2.4.18-2ubuntu3.10 produces the problem, and downgrading to 2.4.18-2ubuntu3 makes it go away. It appears that the Apache fix for CVE-2019-0220 is the culprit. There are other versions of that fix for Ubuntu 14.04, 18.04, and 18.10, so the same problem may exist in those environments (I haven't tested them).
The issue appears to be with how booking URLs are constructed -- they include a hard-coded double-slash which is now treated differently by Apache. I'll share a branch with a proposed fix shortly.
Thanks to Jeff Godin for narrowing down the cause of this issue.
| Changed in evergreen: | |
| importance: | Undecided → High |
| tags: | added: pullrequest |
| Changed in evergreen: | |
| milestone: | none → 3.3.1 |
| Galen Charlton (gmc) wrote | #3 |
| Changed in evergreen: | |
| assignee: | nobody → Galen Charlton (gmc) |
| status: | New → Fix Committed |
| assignee: | Galen Charlton (gmc) → nobody |
| Changed in evergreen: | |
| status: | Fix Committed → Fix Released |
Working branch user/jeffdavis/
https:/
Based on some light testing, this appears to work on both current and downgraded versions of Apache (at least on Ubuntu 16.04). It should be more rigorously tested before being committed.