488886 – mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables

Bug 488886 - mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables

Summary: mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Joe Orton
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-06 03:59 UTC by Karl Grindley
Modified:	2009-09-02 11:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	488939 (view as bug list)
Environment:
Last Closed:	2009-09-02 11:50:39 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Apache Bugzilla	43738	0	None	None	None	Never
Red Hat Product Errata	RHBA-2009:1380	0	normal	SHIPPED_LIVE	httpd bug fix update	2009-09-01 11:48:49 UTC

Description Karl Grindley 2009-03-06 03:59:38 UTC

Description of problem:
If SSLClientVerify for a <directory> is configured, such as:
<Directory "/var/www/html/site">
  SSLVerifyClient require
  SSLVerifyDepth  10
</Directory>

And mod rewrite is configured for this site: (via .htaccess in before mentioned
directory)

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Submitting a POST with variables defined do NOT show up on the script/php side.
 Disabling mod_rewrite or SSLVerifyClient for the path will cause POST
variables to be defined.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. setup an https server with a certificate bundle and turn on sslVerifyClient
2. install a client certificate in your browser
3. setup mod rewrite rules
4. load any page, and try to submit POST variables.  phpinfo() will show no $_POST is defined.
  
Actual results:
no $_POST variables in php land with this configuration

Expected results:
need those $_POST variables

Additional info:

Comment 1 Joe Orton 2009-03-06 10:39:07 UTC

Ah, this is a known bug in the mod_ssl per-dir-reneg code; I fixed it upstream a while back.  Thanks for the report.

Comment 2 Joe Orton 2009-03-06 10:40:39 UTC

Fixed upstream by: http://svn.apache.org/viewvc?rev=591393&view=rev

Comment 4 Karl Grindley 2009-03-06 14:43:05 UTC

Would it be possible to get this integrated into the next bug release of http/mod_ssl via RHN?

For my short term needs, i think i am going to try to patch the source rpm with your changes and see what happens.

Comment 5 Joe Orton 2009-03-06 15:04:59 UTC

The fix is now scheduled for inclusion in RHEL 5.4.  If you need a supported fix sooner please contact Red Hat Support.

Comment 6 Karl Grindley 2009-03-07 16:59:03 UTC

Fix works great!  i was able to recompile up the SRPM with the patch, and first round of testing looks great!  Thanks for the pointer.

Comment 7 Joe Orton 2009-03-09 11:45:25 UTC

Good to hear - thanks for posting the feedback.

Comment 11 errata-xmlrpc 2009-09-02 11:50:39 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1380.html

Note You need to log in before you can comment on or make changes to this bug.