Fix for CVE-2024-38474 also blocks %3f in appended query strings

There were some releases after 2.4.41-4ubuntu3.19, but they don't seem to address this specific regression.

We have:

https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.20
  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.21
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

And this one is in focal-proposed:
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.22
  * d/debhelper/apache2-maintscript-helper: Allow execution when called from a
    postinst script through a trigger (i.e., postinst triggered).
    Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)

I checked the code in 2.4.41-4ubuntu3.22 and the patch[1] doesn't seem to be there indeed. I'll flag this bug here to the security team.
Note I couldn't get access to the svn commit, as it returned a 403[2]. Briefly checking the github mirror, it seems to be this commit[3].

1. https://bz.apache.org/bugzilla/attachment.cgi?id=39815&action=diff&collapsed=&headers=1&format=raw
2. https://svn.apache.org/viewvc?view=rev&rev=1919545
3. https://github.com/apache/httpd/commit/a0a68b99d131741c1867cff321424892838fc4b3

Hi security, this looks like a security regression in https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.19. See previous comment where I tracked some things down.

Hi,

We are working in a fix based in that commit. Meanwhile, would mind to provide any ways to reproduce that issue, so we can check if the fix/patch properly fix it?

Thanks in advance!

Hi,

Here's an example on how to reproduce the issue

We have a folder "modules/" with the following .htaccess content:
##################
RewriteEngine on

# Module only
RewriteRule ^([-a-zA-Z0-9_]+)/?$ %/modules/index.php?module=$1&%{QUERY_STRING} [NC,L]
##################

Accessing the URL: myapp.local/modules/test_rewrite/?url=mysite.net%3fsearch=question%3f

results in a 403 Forbidden error and generates a log entry:

2025-04-03 12:12:44 [Thu Apr 03 10:12:44.688826 2025] [rewrite:error] [pid 828:tid 847] [client 172.18.0.6:57350] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
2025-04-03 12:12:44 172.18.0.6 - - [03/Apr/2025:10:12:44 +0000] "GET /modules/test_rewrite/?url=mysite.net%3fsearch=question%3f HTTP/1.1" 403 199

Version used in the container:
$apachectl -V
Server version: Apache/2.4.62 (Unix)
Server built: Nov 12 2024 02:03:18
Server's Module Magic Number: 20120211:134
Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14

Hope it helps

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package apache2 - 2.4.62-1ubuntu1.1

---------------
apache2 (2.4.62-1ubuntu1.1) oracular-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 06:16:23 -0300

This bug was fixed in the package apache2 - 2.4.52-1ubuntu4.14

---------------
apache2 (2.4.52-1ubuntu4.14) jammy-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 06:05:48 -0300

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.23

---------------
apache2 (2.4.41-4ubuntu3.23) focal-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 02 Apr 2025 15:34:29 -0300

This bug was fixed in the package apache2 - 2.4.58-1ubuntu8.6

---------------
apache2 (2.4.58-1ubuntu8.6) noble-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 11:36:49 -0300

Hi,

It appears this patch has introduced a regression, whereby a `?` character introduced in a RewriteMap now (in 2.4.52-1ubuntu4.14) requires [UnsafeAllow3F] where it didn't previously. A minimal config to reproduce:

-----------------------
RewriteEngine On
RewriteRule ^/bob$ /jeremy?asd=asd [L,R]

RewriteMap redirects txt:maps/redirects.txt
RewriteRule ^(/fred)/?$ ${redirects:$1} [L,R]
-----------------------

With a map of:

-----------------------
/fred /jeremy?asd=asd
-----------------------

A request to /bob works as expected with a 302 redirect to /jeremy?asd=asd
A request to /fred does not work and instead returns a 403 with "Unsafe URL with %3f URL rewritten without UnsafeAllow3F" logged.

We have confirmed that in version 2.4.52-1ubuntu4.13 this was working as expected without the need for [UnsafeAllow3F].

I can file a new bug for this if required.

Hi,

Did you report it to upstream too? Maybe it is an issue about the fix itself.

No, since it hasn't been verified whether upstream is affected.

Hi,

I'm investigating the issue and tryng to find what pieces are missing between jammy and plucky that fix that issue.

So far, I could reproduce the issue with the config you pasted:

in Jammy:

[Tue Apr 22 11:10:18.009699 2025] [rewrite:error] [pid 9771] [client 127.0.0.1:56084] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
[Tue Apr 22 11:10:25.648474 2025] [rewrite:error] [pid 9772] [client 127.0.0.1:36442] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

in Plucky:

127.0.0.1 - - [22/Apr/2025:07:47:57 -0300] "GET /fred HTTP/1.1" 403 491 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0"

Hi,

I may be misunderstanding your comment but I don't think it is fixed in Plucky - I've just tried and can reproduce with the same behaviour (using version 2.4.63-1ubuntu1).

In both Plucky and Jammy I get a 403 response, with the "AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F" error logged in the error.log - and from the looks of it I think that is probably what you were actually getting too.

 Hi,

Yep, i got the same in plucky after re-check my configs:

[Tue Apr 22 12:14:16.176186 2025] [rewrite:error] [pid 12244:tid 12244] [client 127.0.0.1:43612] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

Since we could reproduce it in plucky that is version 2.4.63, same as upstream, do you mind to report this bug upstream: https://httpd.apache.org/bug_report.html

Thanks a lot for report it!