From: Eric Covener <covener@apache.org>
Date: Mon, 21 Jul 2025 11:12:44 +0000 (+0000)
Subject: fix `rewritecond expr` regression in 2.4.64
X-Git-Tag: 2.4.65-rc2-candidate~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8abb3d06b23975705ebcf4bf4476464fd0b9bd0b;p=thirdparty%2Fapache%2Fhttpd.git

fix `rewritecond expr` regression in 2.4.64

  *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
     always evaluates to true in 2.4.64 (cve.mitre.org)
     A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
     expr ..." tests evaluating as "true".
     Users are recommended to upgrade to version 2.4.65, which fixes
     the issue.


Reviewed By: covener, ylavic, gbechis, jorton



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927361 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index f9fcd61400..ae0ceda050 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4276,8 +4276,9 @@ test_str_l:
                 rc = COND_RC_NOMATCH;
             }
             else {
-                rc = COND_RC_MATCH;
+                rc = (rc > 0) ? COND_RC_MATCH : COND_RC_NOMATCH;
             }
+
             /* update briRC backref info */
             if (rc && !(p->flags & CONDFLAG_NOTMATCH)) {
                 ctx->briRC.source = source;