Blanks in query strings not allowed anymore, HTTP 403 forbidden, "Rewritten query string contains control characters or spaces" (Apache CVE-2023-25690)

This has a much bigger impact than I thought.
It also happens for uploaded images (with blanks in them) when editing a node, so this is not only affecting views.
The linked-to image works, but the derived image style does not get generated properly.
The upload directy leads to the same error in apache's error log.

For funny reasons, I came across this on a deprecated Drupal 6 (!) customer project, where the autocomplete (/nodereference/autocomplete/FIELD/xx yy) didn't work anymore. Crazy to see the impact on the web. And probably on all Drupal version?

Apache log also reported AH10411: Rewritten query string contains control characters or spaces
So I guess this is something that has to be fixed in the .htaccess?

Looks like changing the Drupal 6 RewriteRule from
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
to
RewriteRule ^(.*)$ index.php?q=$1 [B,L,QSA]
in .htaccess fixes the issue, but I'm not sure yet about possible side effects. We should also look into Drupal 7!

This is clearly not specific to Views. Making the title more broad and changing component to "base system" to expand to the more accurate scope.

Writing automated tests for this will be hard since seeing it break depends on a specific Apache version. DrupalCI is currently using 2.4.54 (from what I can tell). Guess we can have tests to ensure we never put a blank space in a query string or something. Basically, try to get our tests to enforce what Apache >= 2.5.56 is requiring.

But yeah, this seems like a very big, potentially very disruptive change. 😬

Keep in mind lots of distros tend to stay at the package version (down to patch level) of the initial release (and be that 10 years old; looking at you, RedHat!) and only patch in/backport stuff like this.
No distro-specific package version will ever tell you whether it actually incorporates the fix of the official 2.5.56.

This makes life of a sysadmin/security guy so much fun.
(Use Gentoo, and you mostly get what it says on the package (pun intended) :-) )

While we analyze this I informed our hosting company to be on the lookout.

I noticed this impacting media uploads on all of my multisites. Those sites all use a RewriteRule similar to the one listed in #4.

RewriteRule ^(.*)$ /site/index.php?q=$1 [L,QSA]

Updating that to add the [B] flag (escape backreferences) fixed the issue.

RewriteRule ^(.*)$ /site/index.php?q=$1 [B,L,QSA]

I didn't find another place in the .htaccess that needed the [B] flag added and the changes I made were all exclusive to a multisite install. Was there something I missed?

Here is the documentation of that rewrite flag: https://httpd.apache.org/docs/current/rewrite/flags.html#flag_b

Hello Drupal community! Been a long time since my last post...

Just chipping in a little more data here, because I'm facing the same issue with spaces in form autocompletes.

I was a little nervous to go with the very broad [B,L,QSA] in the rewrite, but a little further down in the doc it says this:

In 2.4.26 and later, you can limit the escaping to specific characters in backreferences by listing them: [B=#?;]. Note: The space character can be used in the list of characters to escape, but you must quote the entire third argument of RewriteRule and the space must not be the last character in the list.

# Escape spaces and question marks. The quotes around the final argument
# are required when a space is included.
RewriteRule "^search/(.*)$" "/search.php?term=$1" "[B= ?]"

As it turns out, having multiple comma-separated flags seems to suffice for the space not being the last character with this configuration, and I was able to get it to work, which is only escaping the space before applying the rewrite:

RewriteRule ^(.*)$ index.php?q=$1 "[B= ,L,QSA]"

This solves the issue w/ autocomplete, and seems a lot less likely to cause collateral damage ;)

There's also this newer directive: https://httpd.apache.org/docs/current/rewrite/flags.html#flag_bctls -- but it's only available in Apache 2.4.57 and later, and Debian Buster (still supported) is at 2.4.38

I can't reproduce this anymore, seems to work with the stock .htaccess config in the composer package.
It also has a different rewrite rule than the one mentioned above.

See 🐛 Apache shows 403 forbidden when "destination=" contains url encoded question marks (%3F) (CVE-2024-38474) Closed: works as designed for details.

If others can confirm that a current 10.2 or 10.3 also fixes this, we can close this issue.