From a1a93beb58b81f1de2b713ae5f96c41ed5952a74 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 17 Jul 2024 20:50:12 +0000
Subject: mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F. 
 PR 69197.

Track in do_expand() whether a '?' in the uri-path comes from a literal in
the substitution string or from an expansion (variable, lookup, ...).
In the former case it's safe to assume that it's the query-string separator
but for the other case it's not (could be a decoded %3f from r->uri).

This allows to avoid [UnsafeAllow3F] for most cases.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919325 13f79535-47bb-0310-9956-ffa450edef68
---
 changes-entries/pr69197.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 changes-entries/pr69197.txt

(limited to 'changes-entries')

diff --git a/changes-entries/pr69197.txt b/changes-entries/pr69197.txt
new file mode 100644
index 0000000000..1aa393a2ac
--- /dev/null
+++ b/changes-entries/pr69197.txt
@@ -0,0 +1,2 @@
+  *) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
+     PR 69197. [Yann Ylavic, Eric Covener]
\ No newline at end of file
-- 
cgit v1.2.3