From: Rich Bowen Date: Fri, 15 May 2026 20:03:35 +0000 (+0000) Subject: flags.xml: Add examples and security warnings for UnsafeAllow3F and UnsafePrefixStat X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=a1f226f0372b3be663ec39c2bad25b013512cab2;p=thirdparty%2Fapache%2Fhttpd.git flags.xml: Add examples and security warnings for UnsafeAllow3F and UnsafePrefixStat Both flags were introduced to address CVE-2024-38474 and CVE-2024-38475 respectively. Add practical examples showing common scenarios where each flag is needed (PHP front controller for UnsafeAllow3F; backreference- starting substitution for UnsafePrefixStat), along with warning notes linking to the relevant CVEs and advising restraint in their use. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934248 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index 45ff22c9d7..f6a2ba3592 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -1032,6 +1032,25 @@ marks where possible. map to an unexpected filesystem location.

2.5.1

+ + +# This rule starts the substitution with a backreference. +# Since 2.4.60, this is rejected by default to prevent the expanded +# path from escaping the document root (CVE-2024-38475). +# Only add UnsafePrefixStat after verifying the substitution cannot +# resolve to a filesystem path outside your web root. +RewriteRule "^/mirror/(.+)$" "$1" [PT,UnsafePrefixStat] + + + +This flag exists because of CVE-2024-38475. +Without it, a substitution beginning with a backreference or variable +that happens to match an existing filesystem path could allow requests +to escape the document root. Use this flag only after confirming that +the substitution is adequately constrained. + +
UNC

Setting this flag prevents the merging of multiple leading slashes,