diff -Nru apache2-2.4.7/debian/changelog apache2-2.4.7/debian/changelog --- apache2-2.4.7/debian/changelog 2016-07-14 07:41:21.000000000 -0500 +++ apache2-2.4.7/debian/changelog 2016-07-27 02:02:40.000000000 -0500 @@ -1,3 +1,10 @@ +apache2 (2.4.7-1ubuntu4.14) trusty; urgency=medium + + * d/p/fix_search_dir_during_rewrite.patch: Do not search directory indexes + if a url is in the middle of being rewritten (LP: #1394403) + + -- Wesley Wiedenmeier Wed, 27 Jul 2016 02:00:37 -0500 + apache2 (2.4.7-1ubuntu4.13) trusty-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) diff -Nru apache2-2.4.7/debian/patches/fix_search_dir_during_rewrite.patch apache2-2.4.7/debian/patches/fix_search_dir_during_rewrite.patch --- apache2-2.4.7/debian/patches/fix_search_dir_during_rewrite.patch 1969-12-31 18:00:00.000000000 -0600 +++ apache2-2.4.7/debian/patches/fix_search_dir_during_rewrite.patch 2016-07-27 02:02:35.000000000 -0500 @@ -0,0 +1,66 @@ +Description: Do not search for directory indexes if a url is in the middle of + being rewritten +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1394403 +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1557641 +Last-Update: 2017-07-27 + +Index: apache2-2.4.7/modules/mappers/mod_dir.c +=================================================================== +--- apache2-2.4.7.orig/modules/mappers/mod_dir.c ++++ apache2-2.4.7/modules/mappers/mod_dir.c +@@ -29,6 +29,7 @@ + #include "http_log.h" + #include "http_main.h" + #include "util_script.h" ++#include "mod_rewrite.h" + + module AP_MODULE_DECLARE_DATA dir_module; + +@@ -277,6 +278,11 @@ static int fixup_dir(request_rec *r) + return DECLINED; + } + ++ /* we're running between mod_rewrites fixup and its internal redirect handler, step aside */ ++ if (!strcmp(r->handler, REDIRECT_HANDLER_NAME)) { ++ return DECLINED; ++ } ++ + if (d->index_names) { + names_ptr = (char **)d->index_names->elts; + num_names = d->index_names->nelts; +Index: apache2-2.4.7/modules/mappers/mod_rewrite.c +=================================================================== +--- apache2-2.4.7.orig/modules/mappers/mod_rewrite.c ++++ apache2-2.4.7/modules/mappers/mod_rewrite.c +@@ -5004,7 +5004,7 @@ static int hook_fixup(request_rec *r) + rewritelog((r, 1, dconf->directory, "internal redirect with %s " + "[INTERNAL REDIRECT]", r->filename)); + r->filename = apr_pstrcat(r->pool, "redirect:", r->filename, NULL); +- r->handler = "redirect-handler"; ++ r->handler = REDIRECT_HANDLER_NAME; + return OK; + } + } +@@ -5050,7 +5050,7 @@ static int hook_mimetype(request_rec *r) + */ + static int handler_redirect(request_rec *r) + { +- if (strcmp(r->handler, "redirect-handler")) { ++ if (strcmp(r->handler, REDIRECT_HANDLER_NAME)) { + return DECLINED; + } + +Index: apache2-2.4.7/modules/mappers/mod_rewrite.h +=================================================================== +--- apache2-2.4.7.orig/modules/mappers/mod_rewrite.h ++++ apache2-2.4.7/modules/mappers/mod_rewrite.h +@@ -29,6 +29,8 @@ + #include "apr_optional.h" + #include "httpd.h" + ++#define REDIRECT_HANDLER_NAME "redirect-handler" ++ + /* rewrite map function prototype */ + typedef char *(rewrite_mapfunc_t)(request_rec *r, char *key); + diff -Nru apache2-2.4.7/debian/patches/series apache2-2.4.7/debian/patches/series --- apache2-2.4.7/debian/patches/series 2016-07-14 07:40:50.000000000 -0500 +++ apache2-2.4.7/debian/patches/series 2016-07-27 01:02:37.000000000 -0500 @@ -26,3 +26,4 @@ fix_mod_proxy_wstunnel.patch fix-proxy-error-overwrite-timeout.patch CVE-2016-5387.patch +fix_search_dir_during_rewrite.patch