Problem/Motivation

The flag link URL "destination" query argument includes the entity URL, but also the same URL unnecessarily repeated as a "?q=" query argument.

This breaks in mod_rewrite in Apache HTTP Server 2.4.60 and later that take exception to having "?" encoded as %3F in a query argument that is being rewritten. Security issue description: https://www.cve.org/CVERecord?id=CVE-2024-38474

Adding "UnsafeAllow3F" to the Drupal main rewrite rule works around this security limitation:

RewriteRule ^(.*)$ index.php?q=$1 [L,QSA,UnsafeAllow3F]

This works around the problem, but ideally the URL created by Flag should not include the "?q=" part.

Will investigate further when I get time.

Comments

fonant created an issue. See original summary.

fonant’s picture

fonant commented
Issue summary: View changes
fonant’s picture

fonant commented
Title: Flag link URL contains ?q= unnecessarily, breaks in newer Apache » Flag link URL contains ?q= unnecessarily, breaks in Apache 2.4.60 and later
johns996’s picture

johns996 commented

I noticed a similar issue with the UnsafeAllow3F Apache update that was added to repos around July 1, 2024. I'm running a Drupal multisite and each site runs in a subdirectory of the main domain. Each of these sites has its own block of rewrites in the main .htaccess. For any of the admin URLs to function after this Apache update, I needed to add the new flag like the example below.

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} ^/example/(.*)$
  RewriteRule ^(.*)$ /example/index.php?q=$1 [B,L,QSA,UnsafeAllow3F]
ivnish’s picture

ivnish
he/him
commented
Version: 8.x-4.x-dev » 5.x-dev