--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012

+++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012

@@ -4319,14 +4319,29 @@

/* Unless the anyuri option is set, ensure that the input to the

* first rule really is a URL-path, avoiding security issues with

* poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */

+ /*

+ * We believe that URI starting with "http://" is valid and thus we fork

+ * here little bit from upstream. I'm intentionally not optimizing

+ * following if statement to keep changes against upstream clear.

+ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774

+ */

if ((dconf->options & OPTION_ANYURI) == 0

&& ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')

- || !r->uri || r->uri[0] != '/')) {

+ || !r->uri)) {

rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "

"Consult the manual entry for the RewriteOptions directive "

"for options and caveats about matching other strings.",

r->uri));

return DECLINED;

+ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') {

+ if (strncmp(r->uri, "http://" , 7) != 0 &&

+ strncmp(r->uri, "https://", 8 )!= 0) {

+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "

+ "Consult the manual entry for the RewriteOptions directive "

+ "for options and caveats about matching other strings.",

+ r->uri));

+ return DECLINED;

+ }

}

/*