[04:32] <frickler> there's a regression in the latest apache2 updates at least for focal and impish. a request for e.g. /path/xyz gets passed to an uwsgi backend as /pat//xyz
[05:02] <frickler> or to be more precise, I get SCRIPT_NAME="/pat" instead of "/path" and PATH_INFO="//abc" instead of "/abc"
[05:13] <frickler> I hope this is enough to reproduce https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945274
[05:13] <ubottu> Launchpad bug 1945274 in apache2 (Ubuntu) "security updates are breaking mod_wsgi apps" [Undecided, New]
[05:20] <sbeattie> frickler: thanks.
[05:31] <frickler> so the culprit seems to be CVE-2021-36160.patch , if I build the focal version without that patch, the issue is resolved
[05:31] <ubottu> A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160>
[05:45] <sbeattie> yeah, that was the likely candidate.
[06:09] <frickler> so ... we are using this ProxyPass statement: ProxyPass "/placement" "unix:/var/run/uwsgi/placement-api.socket|uwsgi://uwsgi-uds-placement-api/" retry=0
[06:10] <frickler> if I remove the trailing / in the uwsgi:// path, things get back to work. not sure if that's actually a bug in our deployment that was just uncovered by the CVE fix
[06:10] <frickler> it also only affects some apps, not everything
[06:18] <amurray> since there is no trailing / on "/placement" then I don't think there should be one on the uwsgi:// URI either
[06:21] <amurray> see https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass -  "If the first argument ends with a trailing /, the second argument should also end with a trailing /, and vice versa. Otherwise, the resulting requests to the backend may miss some needed slashes and do not deliver the expected results."
=== cpaelzer_ is now known as cpaelzer
=== cpaelzer_ is now known as cpaelzer