From: Rich Bowen Date: Mon, 11 May 2026 17:12:49 +0000 (+0000) Subject: Rewrite guide: merge duplicate SSRF warning in flags.xml [P] section X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f70546fb29572d89062b4004a7165fc3ce48c0a;p=thirdparty%2Fapache%2Fhttpd.git Rewrite guide: merge duplicate SSRF warning in flags.xml [P] section The [P] flag section had two nearly identical security warnings. Merge into a single comprehensive warning that names the SSRF vulnerability explicitly and includes the mitigation advice from both. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934111 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/rewrite/TODO.md b/docs/manual/rewrite/TODO.md index 338e2dbce3..8cc356cffd 100644 --- a/docs/manual/rewrite/TODO.md +++ b/docs/manual/rewrite/TODO.md @@ -5,7 +5,7 @@ result in one file "owning" the content and others cross-referencing it. ## HIGH Priority -- [ ] **Per-directory path stripping** explained in full across three files +- [x] **Per-directory path stripping** explained in full across three files (intro.xml, tech.xml, htaccess.xml) with near-identical comparison tables in tech.xml and htaccess.xml. → htaccess.xml owns it; others get a brief mention + xref. @@ -24,7 +24,7 @@ result in one file "owning" the content and others cross-referencing it. description and complexity warnings from intro.xml. → Rewritten as concise intro + structured guide overview. -- [ ] **Duplicate SSRF warning in flags.xml** — two nearly identical +- [x] **Duplicate SSRF warning in flags.xml** — two nearly identical warning boxes within the [P] flag section. → Remove the literal duplicate. diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index 96f03a2f5f..f810d98dc0 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -633,10 +633,14 @@ to map remote content into the namespace of the local server.

Security Warning

Take care when constructing the target URL of the rule, considering -the security impact from allowing the client influence over the set of -URLs to which your server will act as a proxy. Ensure that the scheme -and hostname part of the URL is either fixed, or does not allow the -client undue influence.

+the security impact of allowing the client influence over the set of +URLs to which your server will act as a proxy. If any part of the +target URL is derived from user input (backreferences, query strings, +etc.), an attacker may be able to cause your server to make requests +to arbitrary internal or external hosts. This is known as a +Server-Side Request Forgery (SSRF) vulnerability. Ensure that the +scheme and hostname part of the URL is either fixed, or does not allow +the client undue influence.

 @@ -657,16 +661,6 @@ will be used automatically.

Note: mod_proxy must be enabled in order to use this flag.

-Security warning -

Take care when constructing the target URL of the rule, considering -the security impact of allowing the client influence over the set of -URLs to which your server will act as a proxy. If any part of the -target URL is derived from user input (backreferences, query strings, -etc.), an attacker may be able to cause your server to make requests -to arbitrary internal or external hosts. This is known as a -Server-Side Request Forgery (SSRF) vulnerability.

- -
PT|passthrough diff --git a/docs/manual/rewrite/index.xml b/docs/manual/rewrite/index.xml index c5c8fee244..9b7dd148bd 100644 --- a/docs/manual/rewrite/index.xml +++ b/docs/manual/rewrite/index.xml @@ -85,7 +85,7 @@ and the order in which rules and conditions are evaluated. -The Reference Manual +mod_rewrite Reference Documentation Mapping URLs to the Filesystem mod_rewrite wiki