[h2]Apache2 Rewrite AH10410 Symptom Description[/h2]
❓ SYMPTOM Description: You will start to see Google Search console reporting some 403 Forbidden HTTP Error around 2023-March about your product-rewrite page, catalog-rewrite page or tags-rewrite pages and these rewrite pages are with "Space (0x20, %20)".
for example
👉
https://vovo2000.com/tags/petit%20fancy/
❓ And these URLs were just 100% OK before January 2023 and February 2023 and you did NOT touch any thing in mod_rewrite section in your htaccess or site-config at all.
[h2]Fact & Issue Analysis[/h2]
✅ Fact 1: In fact, when you try to check access.log, it is 100% perfect with HTTP 200 OK for every time you check it.
✅ Fact 2: When you look at the apache2 error.log, you will see "AH10410: Rewritten query string contains control characters or spaces", and this is trigger by Apache2 HTTP mod_rewrite.
代碼:
[Tue Mar 16 10:44:05.479647 2023] [rewrite:error] [client 55.66.77.88:65176] AH10410: Rewritten query string contains control characters or spaces
✅ Fact 3: You did some Apache2 httpd upgrade (yum/dnf update or apt upgrade or something like this) around early of March 2023. In fact, though this CVE-2023-25690 is much like a mod_proxy patch, BUT HOWEVER, it did revise mod_rewrite & mod_rewrite_http2 as well.
✅ Analysis 4: Then, you look at this CVE patch in github or svn apache.org, you will see.
代碼:
Author: covener
Date: Sun Mar 5 20:28:43 2023 UTC
Changed paths: 7
Log Message:
Merge r1908095 from trunk:
don't forward invalid query strings
Submitted by: rpluem
Reviewed By: covener, fielding, rpluem, gbechis
Code diff of mod_rewrite.c
代碼:
modules/mappers/mod_rewrite.c
@@ -4729,6 +4729,17 @@ static int hook_uri2file(request_rec *r)
unsigned skip;
apr_size_t flen;
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
if (ACTION_STATUS == rulestatus) {
int n = r->status;
ref: https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff
ref: https://svn.apache.org/viewvc?view=revision&revision=1908096
[h2]How to Quick Workaround[/h2]
✅ Workaround 1: This is NOT an issue of your cgi app, nor your scripts issue(python, java, php, ruby) since you didn't touch them at all. This is Apache2 RewriteRule issue, JUST try to add an [B] flag in the end of your RewriteRule before [QSA]
For example, Try to revise your rewrite conf or .htaccess.
代碼:
# ❌ BEFORE (though it is 100% OK before 2023 Feb or Jan ...)
RewriteRule ^/product/(.*)/([0-9]*)$ /control/show_product.php?prod=$1&p=$2 [QSA]
# ✅ AFTER: Add a [B] flag in the rear of your rewrite rule, usually before [QSA]
RewriteRule ^/product/(.*)/([0-9]*)$ /control/show_product.php?prod=$1&p=$2 [B,QSA]
(Optional, Do an apache2 restart and)
then test again your "/product/good example product/" and this rewrite will become OK again!(2023-03-21 11:43)