flags.xml: Add example and security warning for UnsafeAllow3F

Show the common real-world trigger: a PHP front controller with a
query string in the substitution (index.php?route=\$1) that breaks
when a request contains %3F. Add a warning note linking to
CVE-2024-38474, advising users to prefer URL restructuring over
enabling the flag where possible.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934244 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml
index 1609b485b00ef2d31218d6e3ccbd8dbc3f091c59..b952503420066b61b1b4f33b135c9bcffd0177c0 100644 (file)
--- a/docs/manual/rewrite/flags.xml
+++ b/docs/manual/rewrite/flags.xml
@@ -1003,6 +1003,26 @@ The <code>L</code> flag can be useful in this context to end the
     rewritten result has a '?' in the substitution.  This protects from a malicious
     URL taking advantage of a capture and re-substitution of the encoded
     question mark.</p>
+
+<highlight language="config">
+# A PHP front controller that routes all requests via a query parameter.
+# Without UnsafeAllow3F, a request like /page%3Fname=test would return
+# 403 Forbidden because the rewritten substitution contains '?' while
+# the original request contains an encoded '%3F'.
+RewriteCond "%{REQUEST_FILENAME}" !-f
+RewriteCond "%{REQUEST_FILENAME}" !-d
+RewriteRule "(.+)" "index.php?route=$1" [L,QSA,UnsafeAllow3F]
+</highlight>
+
+<note type="warning">
+This flag exists because of <a
+href="https://www.cve.org/CVERecord?id=CVE-2024-38474">CVE-2024-38474</a>.
+Use it only on rules where you are certain that user-supplied <code>%3F</code>
+in the request cannot be exploited to manipulate the query string of the
+substitution target. Prefer restructuring URLs to avoid encoded question
+marks where possible.
+</note>
+
 </section>
 <section id="flag_unsafe_prefix_stat"><title>UnsafePrefixStat</title>
     <p> Setting this flag is required in server-scoped substitutions