Bug 134764 - mod_proxy does URL escaping twice
Summary: mod_proxy does URL escaping twice
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd
Version: 3.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-06 06:37 UTC by andreas.mack@konsec.com
Modified: 2007-11-30 22:07 UTC (History)
0 users

Clone Of:
Last Closed: 2007-10-19 19:17:05 UTC

Attachments (Terms of Use)

Description andreas.mack@konsec.com 2004-10-06 06:37:19 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041005

Description of problem:
URL escaping is done twice in mod_proxy. See

For us, with authentication enabled in a reverse proxied
<Location> part, the request parameters get dropped.
To us, this is a very bad bug and actually blocks a rollout.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setup apache to do reverse proxying to an url
2. protect the location with an authentication module 
3. test with URLs with request parameters:

Actual Results:  apacheserver.local/myurl.do is forwarded, the
parameters are dropped.
See the above urls in the apache bugzilla for more info. 

Expected Results:  Forward to apacheserver.local/myurl.do?id=444

Additional info:

Comment 1 Joe Orton 2004-10-06 15:33:30 UTC
Thanks for the report.

Comment 2 andreas.mack@konsec.com 2004-10-29 06:57:10 UTC
Bug report is misleading, it was another problem:

If the auth module does authentication not with AuthType Basic,
but through other means, if the "AuthType" is left out, the
fixups for other modules, in this case the proxy module won't
run. If "AuthType XXXX" with "XXXX" as some random/module depended
string is added to the protected Location, it will work.

Hope this helps. Maybe this should be documented somewhere.

I have no information about the "twice escaping bug" I mentioned.
As far as I am concerned, this bug can be closed as "invalid" or so.

Comment 3 Joe Orton 2004-10-29 07:13:04 UTC
Thanks for the further information.

Can you post a complete <Location> block which triggers the bug, for you?

Comment 4 andreas.mack@konsec.com 2004-10-29 07:42:41 UTC
This is depended on the auth module, in our case, mod_auth_mda
ProxyPass /myapp
ProxyPassReverse /myapp

<Location /myapp/>
   AuthName MDAAuth
   #AuthType MdaCookie
   Require valid-user

   MDARealmMask "0000000001"
   MDAAuthTimeoutURL "http://myhost/login"
   MDAAuthLoginURL "http://myhost/login"
   MDAAuthTimeoutMin 600

if AuthType is NOT there, it won't work, if it's there it will work.

/usr/src/redhat/BUILD/httpd-2.0.46/server/request.c, ~line 234:
            if (ap_some_auth_required(r)) {
                if (((access_status = ap_run_check_user_id(r)) != 0)
                    || !ap_auth_type(r)) {
                    return decl_die(access_status, ap_auth_type(r)
                                  ? "check user.  No user file?"
                                  : "perform authentication. AuthType
not set!",                                  r);

The module returns "OK", but the auth type is not set, the decl_die
is called. decl_die seems to see the "OK" and decides to continue
the request.

Let me know if you need further info.

Comment 5 andreas.mack@konsec.com 2004-10-29 07:44:57 UTC
I forgot: decl_die continues, but the fixups in request.c in
ap_process_request_internal can't be called anymore.
The url for the proxy request isn't completed with the request
parameters -> proxy request goes out without them.

Comment 6 RHEL Product and Program Management 2007-10-19 19:17:05 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.