Activity log for bug #1394403

Date Who What changed Old value New value Message
2014-11-19 23:24:57 Matthias Ferdinand bug added bug
2015-03-18 14:45:23 Elger bug watch added https://bz.apache.org/bugzilla/show_bug.cgi?id=53929
2015-04-30 10:46:51 Launchpad Janitor apache2 (Ubuntu): status New Confirmed
2015-04-30 11:02:49 Roman Plessl bug added subscriber Roman Plessl
2015-04-30 11:14:30 Roman Plessl bug added subscriber indero
2015-04-30 11:14:34 Roman Plessl removed subscriber indero
2015-04-30 11:31:46 Robie Basak bug task added apache2
2015-04-30 11:34:39 Robie Basak bug added subscriber Robie Basak
2015-04-30 11:34:48 Robie Basak bug added subscriber Ubuntu Server Team
2015-04-30 11:35:17 Robie Basak nominated for series Ubuntu Trusty
2015-04-30 11:35:17 Robie Basak bug task added apache2 (Ubuntu Trusty)
2015-04-30 11:35:41 Robie Basak apache2 (Ubuntu Trusty): status New Confirmed
2015-04-30 11:35:45 Robie Basak apache2 (Ubuntu): status Confirmed Fix Released
2015-04-30 11:35:49 Robie Basak apache2 (Ubuntu Trusty): importance Undecided Medium
2015-04-30 11:36:13 Robie Basak summary apache 2.4.7 mod_dir bug PR53929 RewriteRule of "^$" is broken
2015-08-07 19:41:03 Robie Basak tags apache rewrite apache bitesize rewrite
2015-08-10 15:46:18 Robie Basak tags apache bitesize rewrite apache bitesize rewrite server-next
2015-08-11 16:21:46 Wesley Wiedenmeier apache2 (Ubuntu Trusty): assignee Wesley Wiedenmeier (wesley-wiedenmeier)
2015-08-11 16:36:29 Robie Basak tags apache bitesize rewrite server-next apache bitesize rewrite
2015-08-17 14:43:14 Wesley Wiedenmeier attachment added trusty-sru-debdiff https://bugs.launchpad.net/ubuntu/trusty/+source/apache2/+bug/1394403/+attachment/4445979/+files/trusty-sru-debdiff
2015-08-17 14:46:16 Wesley Wiedenmeier description Ubuntu 14.04LTS x86_64 In apache 2.4.7 there is a bug in mod_dir, in that it does not stop when the URL has just been rewritten by mod_rewrite. If you have rewrite rules in .htaccess, ending in a [P] for an external URL, rule execution should stop and mod_proxy should go and fetch the given URL. Instead, mod_dir fires another round of rewrite rule checks as it looks for .../index.html, possibly giving completely different results (e.g. not fetching from remote site). http://www.apachelounge.com/Changelog-2.4.html: ... *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener] ... http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-rewrites-twice-my-url Please backport the for PR53929 (or update apache package to 2.4.9) [Test Case] Setup Apache 2.4.7 * mod_rewrite * mod_ajp * mod_dir Tomcat * Listening on Port 9001 Apache with a .htaccess in the example.net VirtualHost RewriteEngine On RewriteRule ^(.*)$ ajp://localhost:9001/$1 [P] Expected: Return from Tomcat HTTP Status 404 - / Reality: Return from Tomcat HTTP Status 404 - /index.html Workaround for this particular setup was to either disable mod_dir or disable DirectoryIndex in .htaccess. Or on VirtualHost context use ProxyPass. ProxyPass / ajp://localhost:9001/ ProxyPassReverse / ajp://localhost:9001/ [Impact] With DirectoryIndex disabled: <pre> [Thu Apr 30 13:55:18.761066 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:55:18.761191 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:55:18.761215 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:55:18.761232 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:55:18.761245 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:55:18.761259 2015] [rewrite:trace1] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] </pre> With DirectoryIndex enabled: <pre> [Thu Apr 30 13:58:37.954876 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:58:37.954930 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:58:37.954947 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:58:37.954959 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:58:37.954968 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:58:37.954977 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] [Thu Apr 30 13:58:37.955023 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/index.html -> index.html [Thu Apr 30 13:58:37.955036 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri 'index.html' [Thu Apr 30 13:58:37.955076 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] rewrite 'index.html' -> 'ajp://localhost:9001/index.html' [Thu Apr 30 13:58:37.955086 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/index.html -> ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955094 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955103 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/index.html [OK] </pre> [Regression Potential] As stated on the apache bugtracker https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10: "The behavior now seems to be consistent with 2.2, and a rewrite rule that conflicts with a DirectoryIndex gets applied." [Original Description] Ubuntu 14.04LTS x86_64 In apache 2.4.7 there is a bug in mod_dir, in that it does not stop when the URL has just been rewritten by mod_rewrite. If you have rewrite rules in .htaccess, ending in a [P] for an external URL, rule execution should stop and mod_proxy should go and fetch the given URL. Instead, mod_dir fires another round of rewrite rule checks as it looks for .../index.html, possibly giving completely different results (e.g. not fetching from remote site). http://www.apachelounge.com/Changelog-2.4.html:   ...   *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a      URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]   ... http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-rewrites-twice-my-url Please backport the for PR53929 (or update apache package to 2.4.9)
2015-08-17 17:10:10 Wesley Wiedenmeier bug added subscriber Ubuntu Sponsors Team
2015-08-18 15:31:48 Wesley Wiedenmeier attachment removed trusty-sru-debdiff https://bugs.launchpad.net/ubuntu/trusty/+source/apache2/+bug/1394403/+attachment/4445979/+files/trusty-sru-debdiff
2015-08-18 15:33:09 Wesley Wiedenmeier attachment added trusty-sru-debdiff https://bugs.launchpad.net/ubuntu/trusty/+source/apache2/+bug/1394403/+attachment/4447223/+files/trusty-sru-debdiff
2015-08-30 20:50:11 Wesley Wiedenmeier description [Test Case] Setup Apache 2.4.7 * mod_rewrite * mod_ajp * mod_dir Tomcat * Listening on Port 9001 Apache with a .htaccess in the example.net VirtualHost RewriteEngine On RewriteRule ^(.*)$ ajp://localhost:9001/$1 [P] Expected: Return from Tomcat HTTP Status 404 - / Reality: Return from Tomcat HTTP Status 404 - /index.html Workaround for this particular setup was to either disable mod_dir or disable DirectoryIndex in .htaccess. Or on VirtualHost context use ProxyPass. ProxyPass / ajp://localhost:9001/ ProxyPassReverse / ajp://localhost:9001/ [Impact] With DirectoryIndex disabled: <pre> [Thu Apr 30 13:55:18.761066 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:55:18.761191 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:55:18.761215 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:55:18.761232 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:55:18.761245 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:55:18.761259 2015] [rewrite:trace1] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] </pre> With DirectoryIndex enabled: <pre> [Thu Apr 30 13:58:37.954876 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:58:37.954930 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:58:37.954947 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:58:37.954959 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:58:37.954968 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:58:37.954977 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] [Thu Apr 30 13:58:37.955023 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/index.html -> index.html [Thu Apr 30 13:58:37.955036 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri 'index.html' [Thu Apr 30 13:58:37.955076 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] rewrite 'index.html' -> 'ajp://localhost:9001/index.html' [Thu Apr 30 13:58:37.955086 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/index.html -> ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955094 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955103 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/index.html [OK] </pre> [Regression Potential] As stated on the apache bugtracker https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10: "The behavior now seems to be consistent with 2.2, and a rewrite rule that conflicts with a DirectoryIndex gets applied." [Original Description] Ubuntu 14.04LTS x86_64 In apache 2.4.7 there is a bug in mod_dir, in that it does not stop when the URL has just been rewritten by mod_rewrite. If you have rewrite rules in .htaccess, ending in a [P] for an external URL, rule execution should stop and mod_proxy should go and fetch the given URL. Instead, mod_dir fires another round of rewrite rule checks as it looks for .../index.html, possibly giving completely different results (e.g. not fetching from remote site). http://www.apachelounge.com/Changelog-2.4.html:   ...   *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a      URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]   ... http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-rewrites-twice-my-url Please backport the for PR53929 (or update apache package to 2.4.9) [Test Case] Setup Apache 2.4.7 * mod_rewrite * mod_ajp * mod_dir Tomcat * Listening on Port 9001 Apache with a .htaccess in the example.net VirtualHost   RewriteEngine On   RewriteRule ^(.*)$ ajp://localhost:9001/$1 [P] Expected: Return from Tomcat   HTTP Status 404 - / Reality: Return from Tomcat   HTTP Status 404 - /index.html Workaround for this particular setup was to either disable mod_dir or disable DirectoryIndex in .htaccess. Or on VirtualHost context use ProxyPass.   ProxyPass / ajp://localhost:9001/   ProxyPassReverse / ajp://localhost:9001/ [Impact] With DirectoryIndex disabled: <pre> [Thu Apr 30 13:55:18.761066 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:55:18.761191 2015] [rewrite:trace3] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:55:18.761215 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:55:18.761232 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:55:18.761245 2015] [rewrite:trace2] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:55:18.761259 2015] [rewrite:trace1] [pid 31422] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38052] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb50a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] </pre> With DirectoryIndex enabled: <pre> [Thu Apr 30 13:58:37.954876 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/ -> [Thu Apr 30 13:58:37.954930 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri '' [Thu Apr 30 13:58:37.954947 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] rewrite '' -> 'ajp://localhost:9001/' [Thu Apr 30 13:58:37.954959 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/ -> ajp://localhost:9001/ [Thu Apr 30 13:58:37.954968 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/ [Thu Apr 30 13:58:37.954977 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb10a0/initial] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/ [OK] [Thu Apr 30 13:58:37.955023 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] strip per-dir prefix: /home/www-data/example.net/index.html -> index.html [Thu Apr 30 13:58:37.955036 2015] [rewrite:trace3] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] applying pattern '^(.*)$' to uri 'index.html' [Thu Apr 30 13:58:37.955076 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] rewrite 'index.html' -> 'ajp://localhost:9001/index.html' [Thu Apr 30 13:58:37.955086 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] escaped URI in per-dir context for proxy, ajp://localhost:9001/index.html -> ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955094 2015] [rewrite:trace2] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] forcing proxy-throughput with ajp://localhost:9001/index.html [Thu Apr 30 13:58:37.955103 2015] [rewrite:trace1] [pid 31419] mod_rewrite.c(468): [client XXX.XXX.XXX.XXX:38156] XXX.XXX.XXX.XXX - - [example.net/sid#7fc6ddd849f8][rid#7fc6ddcb30a0/subreq] [perdir /home/www-data/example.net/] go-ahead with proxy request proxy:ajp://localhost:9001/index.html [OK] </pre> [Regression Potential] As stated on the apache bugtracker https://bz.apache.org/bugzilla/show_bug.cgi?id=53929#c10: "The behavior now seems to be consistent with 2.2, and a rewrite rule that conflicts with a DirectoryIndex gets applied." The default value of the new configuration option does change behaviour so there is a chance that this could be undesirable for some users. However, this is a very small chance, as the current default behaviour is only present in apache versions between 2.4 and 2.4.8 when the fix was introduced upstream. Behaviour can be kept consistent with current behaviour by setting "DirectoryCheckHandler On". [Original Description] Ubuntu 14.04LTS x86_64 In apache 2.4.7 there is a bug in mod_dir, in that it does not stop when the URL has just been rewritten by mod_rewrite. If you have rewrite rules in .htaccess, ending in a [P] for an external URL, rule execution should stop and mod_proxy should go and fetch the given URL. Instead, mod_dir fires another round of rewrite rule checks as it looks for .../index.html, possibly giving completely different results (e.g. not fetching from remote site). http://www.apachelounge.com/Changelog-2.4.html:   ...   *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a      URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]   ... http://stackoverflow.com/questions/17095981/why-apache-mod-rewrite-rewrites-twice-my-url Please backport the for PR53929 (or update apache package to 2.4.9)
2015-08-31 02:57:37 Wesley Wiedenmeier attachment added trusty-sru-debdiff-updated https://bugs.launchpad.net/ubuntu/trusty/+source/apache2/+bug/1394403/+attachment/4454758/+files/trusty-sru-debdiff-updated
2015-09-01 11:19:40 Robie Basak apache2 (Ubuntu Trusty): status Confirmed In Progress
2015-09-02 13:00:25 Chris J Arges apache2 (Ubuntu Trusty): status In Progress Fix Committed
2015-09-02 13:00:27 Chris J Arges bug added subscriber Ubuntu Stable Release Updates Team
2015-09-02 13:00:33 Chris J Arges bug added subscriber SRU Verification
2015-09-02 13:00:37 Chris J Arges tags apache bitesize rewrite apache bitesize rewrite verification-needed
2015-09-02 13:05:08 Chris J Arges removed subscriber Ubuntu Sponsors Team
2015-09-18 18:41:03 Mathew Hodson tags apache bitesize rewrite verification-needed bitesize trusty verification-done
2015-09-23 14:24:42 Launchpad Janitor apache2 (Ubuntu Trusty): status Fix Committed Fix Released
2015-09-23 14:24:51 Chris J Arges removed subscriber Ubuntu Stable Release Updates Team
2015-09-24 08:55:37 Robie Basak apache2 (Ubuntu Trusty): status Fix Released New
2015-09-24 08:56:28 Robie Basak apache2 (Ubuntu Trusty): status New Incomplete
2015-09-24 21:22:11 Matthias Ferdinand attachment added apache configuration snippets to reproduce the bug https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1394403/+attachment/4473801/+files/reproduce-1394403.tgz
2016-01-08 15:11:55 Frank Agerholm bug added subscriber Frank Agerholm
2016-07-18 17:54:59 Launchpad Janitor apache2 (Ubuntu Trusty): status Incomplete Fix Released
2016-07-18 17:54:59 Launchpad Janitor cve linked 2016-5387
2016-07-18 18:12:10 Marc Deslauriers apache2 (Ubuntu Trusty): status Fix Released Incomplete
2016-07-27 07:39:00 Wesley Wiedenmeier attachment added fix_rewrite_rule_update.debdiff https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1394403/+attachment/4707966/+files/fix_rewrite_rule_update.debdiff
2016-08-15 20:31:33 Matthias Ferdinand attachment added fixes mod_rewrite->[P] case https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1394403/+attachment/4721396/+files/fix_rewrite_rule_update_with_proxy.debdiff
2016-08-15 20:39:24 Matthias Ferdinand attachment added mod_rewrite->[P] inside vhost https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1394403/+attachment/4721411/+files/blubb.conf