Hi, Few days ago the 'UnsafeAllow3F' flag was introduced: https://httpd.apache.org/security/vulnerabilities_24.html After the update, we have started to have a lot of 403 due to the encoded '?' in the urls passed as query parameters. To fix the problem we have started to stop encoding the '?' in the application code, but there parts in our application where this is very difficult to do, for example using third part libraries because the encoding happens internally. So we are evaluating to add the flag 'UnsafeAllow3F' to our rewirte rule, but due to the name of the flag and the documentation it's not clear if using the flag is safe or not: > Setting this flag is required to allow a rewrite to continue If the HTTP request being written has an encoded question mark, '%3f', and the rewritten result has a '?' in the substiution. This protects from a malicious URL taking advantage of a capture and re-substitution of the encoded question mark. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|