Bug 488886 - mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Joe Orton
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-05 22:59 EST by Karl Grindley
Modified: 2009-09-02 07:50 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 488939 (view as bug list)
Environment:
Last Closed: 2009-09-02 07:50:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 43738 None None None Never

  None (edit)
Description Karl Grindley 2009-03-05 22:59:38 EST
Description of problem:
If SSLClientVerify for a <directory> is configured, such as:
<Directory "/var/www/html/site">
  SSLVerifyClient require
  SSLVerifyDepth  10
</Directory>

And mod rewrite is configured for this site: (via .htaccess in before mentioned
directory)

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Submitting a POST with variables defined do NOT show up on the script/php side.
 Disabling mod_rewrite or SSLVerifyClient for the path will cause POST
variables to be defined.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. setup an https server with a certificate bundle and turn on sslVerifyClient
2. install a client certificate in your browser
3. setup mod rewrite rules
4. load any page, and try to submit POST variables.  phpinfo() will show no $_POST is defined.
  
Actual results:
no $_POST variables in php land with this configuration

Expected results:
need those $_POST variables

Additional info:
Comment 1 Joe Orton 2009-03-06 05:39:07 EST
Ah, this is a known bug in the mod_ssl per-dir-reneg code; I fixed it upstream a while back.  Thanks for the report.
Comment 2 Joe Orton 2009-03-06 05:40:39 EST
Fixed upstream by: http://svn.apache.org/viewvc?rev=591393&view=rev
Comment 4 Karl Grindley 2009-03-06 09:43:05 EST
Would it be possible to get this integrated into the next bug release of http/mod_ssl via RHN?

For my short term needs, i think i am going to try to patch the source rpm with your changes and see what happens.
Comment 5 Joe Orton 2009-03-06 10:04:59 EST
The fix is now scheduled for inclusion in RHEL 5.4.  If you need a supported fix sooner please contact Red Hat Support.
Comment 6 Karl Grindley 2009-03-07 11:59:03 EST
Fix works great!  i was able to recompile up the SRPM with the patch, and first round of testing looks great!  Thanks for the pointer.
Comment 7 Joe Orton 2009-03-09 07:45:25 EDT
Good to hear - thanks for posting the feedback.
Comment 11 errata-xmlrpc 2009-09-02 07:50:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1380.html

Note You need to log in before you can comment on or make changes to this bug.