flags.xml: Add examples and security warnings for UnsafeAllow3F and UnsafePrefixStat

Both flags were introduced to address CVE-2024-38474 and CVE-2024-38475
respectively. Add practical examples showing common scenarios where each
flag is needed (PHP front controller for UnsafeAllow3F; backreference-
starting substitution for UnsafePrefixStat), along with warning notes
linking to the relevant CVEs and advising restraint in their use.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934248 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml
index 45ff22c9d7386f94364dc8f0fc438e9ac1484d3e..f6a2ba35920b1fc6df6a5a24ac890ac64968b1c6 100644 (file)
--- a/docs/manual/rewrite/flags.xml
+++ b/docs/manual/rewrite/flags.xml
@@ -1032,6 +1032,25 @@ marks where possible.
     map to an unexpected filesystem location.</p>
 
     <p><since>2.5.1</since></p>
+
+<highlight language="config">
+# This rule starts the substitution with a backreference.
+# Since 2.4.60, this is rejected by default to prevent the expanded
+# path from escaping the document root (CVE-2024-38475).
+# Only add UnsafePrefixStat after verifying the substitution cannot
+# resolve to a filesystem path outside your web root.
+RewriteRule "^/mirror/(.+)$" "$1" [PT,UnsafePrefixStat]
+</highlight>
+
+<note type="warning">
+This flag exists because of <a
+href="https://www.cve.org/CVERecord?id=CVE-2024-38475">CVE-2024-38475</a>.
+Without it, a substitution beginning with a backreference or variable
+that happens to match an existing filesystem path could allow requests
+to escape the document root. Use this flag only after confirming that
+the substitution is adequately constrained.
+</note>
+
 </section>
 <section id="flag_unc"><title>UNC</title>
     <p> Setting this flag prevents the merging of multiple leading slashes,