Flag link URL contains ?q= unnecessarily, breaks in Apache 2.4.60 and later

Created on 25 July 2024, 5 months ago

Problem/Motivation

The flag link URL "destination" query argument includes the entity URL, but also the same URL unnecessarily repeated as a "?q=" query argument.

This breaks in mod_rewrite in Apache HTTP Server 2.4.60 and later that take exception to having "?" encoded as %3F in a query argument that is being rewritten. Security issue description: https://www.cve.org/CVERecord?id=CVE-2024-38474

Adding "UnsafeAllow3F" to the Drupal main rewrite rule works around this security limitation:

RewriteRule ^(.*)$ index.php?q=$1 [L,QSA,UnsafeAllow3F]

This works around the problem, but ideally the URL created by Flag should not include the "?q=" part.

Will investigate further when I get time.

πŸ› Bug report
Status

Active

Version

4.0

Component

Flag core

Created by

πŸ‡¬πŸ‡§United Kingdom fonant

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @fonant
  • πŸ‡¬πŸ‡§United Kingdom fonant
  • πŸ‡¬πŸ‡§United Kingdom fonant
  • πŸ‡ΊπŸ‡ΈUnited States johns996 Marquette, MI

    I noticed a similar issue with the UnsafeAllow3F Apache update that was added to repos around July 1, 2024. I'm running a Drupal multisite and each site runs in a subdirectory of the main domain. Each of these sites has its own block of rewrites in the main .htaccess. For any of the admin URLs to function after this Apache update, I needed to add the new flag like the example below.

      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteCond %{REQUEST_URI} ^/example/(.*)$
      RewriteRule ^(.*)$ /example/index.php?q=$1 [B,L,QSA,UnsafeAllow3F]
    
Production build 0.71.5 2024