Skip to content

Commit 64fb094

Browse files
jonasbardinojonasbardino
committed
Manually merge PR102: address ID rewriting issues on rocky8+ by adjusting the cert_mangling to be completely wrapped and slash-anchored throughout
git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6107 b75ad72c-e7d7-11dd-a971-7dbc132099af
1 parent 5572cb7 commit 64fb094

File tree

2 files changed

+44
-44
lines changed

2 files changed

+44
-44
lines changed

mig/install/apache-MiG-template.conf

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1026,23 +1026,23 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
10261026
RewriteCond %{REQUEST_URI} ^/cert_redirect/
10271027
RewriteCond %{LA-U:ENV:SSL_CLIENT_S_DN} !^$
10281028
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
1029-
RewriteRule ^/cert_mangle/(.*) %{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
1029+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
10301030

10311031
# Keep replacing space in DN with underscore
10321032

1033-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
1033+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
10341034

10351035
# Keep replacing slash in DN with plus
10361036

1037-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
1037+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
10381038

10391039
# Keep replacing double backslash from utf8 chars in DN with actual char
10401040
# E.g. to replace the 'oslash' letter on the form \\xC3\\xB8 with %C3%B8
10411041

1042-
RewriteRule ^(.*)\\x(..)(.*)/cert_mangle/(.*)$ $1${unescape:%$2}$3/cert_mangle/$4 [N]
1042+
RewriteRule ^/cert_mangle/(.*)\\x(..)(.*)/cert_mangle/(.*)$ /cert_mangle/$1${unescape:%$2}$3/cert_mangle/$4 [N]
10431043

10441044
# Finally remove certificate marker and unescape previously escaped path
1045-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
1045+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
10461046

10471047
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
10481048
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -1485,23 +1485,23 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
14851485
RewriteCond %{REQUEST_URI} ^/cert_redirect/
14861486
RewriteCond %{LA-U:ENV:SSL_CLIENT_S_DN} !^$
14871487
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
1488-
RewriteRule ^/cert_mangle/(.*) %{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
1488+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
14891489

14901490
# Keep replacing space in DN with underscore
14911491

1492-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
1492+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
14931493

14941494
# Keep replacing slash in DN with plus
14951495

1496-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
1496+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
14971497

14981498
# Keep replacing double backslash from utf8 chars in DN with actual char
14991499
# E.g. to replace the 'oslash' letter on the form \\xC3\\xB8 with %C3%B8
15001500

1501-
RewriteRule ^(.*)\\x(..)(.*)/cert_mangle/(.*)$ $1${unescape:%$2}$3/cert_mangle/$4 [N]
1501+
RewriteRule ^/cert_mangle/(.*)\\x(..)(.*)/cert_mangle/(.*)$ /cert_mangle/$1${unescape:%$2}$3/cert_mangle/$4 [N]
15021502

15031503
# Finally remove certificate marker and unescape previously escaped path
1504-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
1504+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
15051505

15061506
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
15071507
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -2165,15 +2165,15 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
21652165
RewriteCond %{LA-U:REMOTE_USER} !^$
21662166
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
21672167
RewriteRule ^/cert_mangle/(.*) /strip_provider/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,C]
2168-
RewriteRule ^/strip_provider/__MIG_OID_PROVIDER_ID__/*(.+)/cert_mangle/(.*) $1/cert_mangle/$2 [NE,N]
2168+
RewriteRule ^/strip_provider/__MIG_OID_PROVIDER_ID__/*(.+)/cert_mangle/(.*) /cert_mangle/$1/cert_mangle/$2 [NE,N]
21692169

21702170
# Keep replacing space in DN with underscore
21712171

2172-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
2172+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
21732173

21742174
# Keep replacing slash in DN with plus
21752175

2176-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
2176+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
21772177

21782178
# Finally remove certificate marker and unescape previously escaped path
21792179
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -2187,7 +2187,7 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
21872187
# NOTE: we proxy here to make sure we only target cert mangled paths.
21882188
# It does NOT mean that we skip chroot check below as that will still
21892189
# happen in the new request caused by the proxy'ing.
2190-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
2190+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
21912191

21922192
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
21932193
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -2767,15 +2767,15 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
27672767
RewriteCond %{LA-U:REMOTE_USER} !^$
27682768
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
27692769
RewriteRule ^/cert_mangle/(.*) /strip_provider/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,C]
2770-
RewriteRule ^/strip_provider/__EXT_OID_PROVIDER_ID__/*(.+)/cert_mangle/(.*) $1/cert_mangle/$2 [NE,N]
2770+
RewriteRule ^/strip_provider/__EXT_OID_PROVIDER_ID__/*(.+)/cert_mangle/(.*) /cert_mangle/$1/cert_mangle/$2 [NE,N]
27712771

27722772
# Keep replacing space in DN with underscore
27732773

2774-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
2774+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
27752775

27762776
# Keep replacing slash in DN with plus
27772777

2778-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
2778+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
27792779

27802780
# Finally remove certificate marker and unescape previously escaped path
27812781
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -2789,7 +2789,7 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
27892789
# NOTE: we proxy here to make sure we only target cert mangled paths.
27902790
# It does NOT mean that we skip chroot check below as that will still
27912791
# happen in the new request caused by the proxy'ing.
2792-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
2792+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
27932793

27942794
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
27952795
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -3693,15 +3693,15 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
36933693
RewriteCond %{REQUEST_URI} ^/cert_redirect/
36943694
RewriteCond %{LA-U:REMOTE_USER} !^$
36953695
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
3696-
RewriteRule ^/cert_mangle/(.*) %{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,N]
3696+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,N]
36973697

36983698
# Keep replacing space in DN with underscore
36993699

3700-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
3700+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
37013701

37023702
# Keep replacing slash in DN with plus
37033703

3704-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
3704+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
37053705

37063706
# Finally remove certificate marker and unescape previously escaped path
37073707
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -3716,7 +3716,7 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
37163716
# NOTE: we proxy here to make sure we only target cert mangled paths.
37173717
# It does NOT mean that we skip chroot check below as that will still
37183718
# happen in the new request caused by the proxy'ing.
3719-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
3719+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
37203720

37213721
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
37223722
# Apache starts chkuserroot prg as a shared daemon for all requests from this

tests/fixture/confs-stdlocal/MiG.conf

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1026,23 +1026,23 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
10261026
RewriteCond %{REQUEST_URI} ^/cert_redirect/
10271027
RewriteCond %{LA-U:ENV:SSL_CLIENT_S_DN} !^$
10281028
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
1029-
RewriteRule ^/cert_mangle/(.*) %{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
1029+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
10301030

10311031
# Keep replacing space in DN with underscore
10321032

1033-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
1033+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
10341034

10351035
# Keep replacing slash in DN with plus
10361036

1037-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
1037+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
10381038

10391039
# Keep replacing double backslash from utf8 chars in DN with actual char
10401040
# E.g. to replace the 'oslash' letter on the form \\xC3\\xB8 with %C3%B8
10411041

1042-
RewriteRule ^(.*)\\x(..)(.*)/cert_mangle/(.*)$ $1${unescape:%$2}$3/cert_mangle/$4 [N]
1042+
RewriteRule ^/cert_mangle/(.*)\\x(..)(.*)/cert_mangle/(.*)$ /cert_mangle/$1${unescape:%$2}$3/cert_mangle/$4 [N]
10431043

10441044
# Finally remove certificate marker and unescape previously escaped path
1045-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
1045+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
10461046

10471047
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
10481048
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -1485,23 +1485,23 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
14851485
RewriteCond %{REQUEST_URI} ^/cert_redirect/
14861486
RewriteCond %{LA-U:ENV:SSL_CLIENT_S_DN} !^$
14871487
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
1488-
RewriteRule ^/cert_mangle/(.*) %{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
1488+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:ENV:SSL_CLIENT_S_DN}/cert_mangle/$1 [NE,N]
14891489

14901490
# Keep replacing space in DN with underscore
14911491

1492-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
1492+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
14931493

14941494
# Keep replacing slash in DN with plus
14951495

1496-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
1496+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
14971497

14981498
# Keep replacing double backslash from utf8 chars in DN with actual char
14991499
# E.g. to replace the 'oslash' letter on the form \\xC3\\xB8 with %C3%B8
15001500

1501-
RewriteRule ^(.*)\\x(..)(.*)/cert_mangle/(.*)$ $1${unescape:%$2}$3/cert_mangle/$4 [N]
1501+
RewriteRule ^/cert_mangle/(.*)\\x(..)(.*)/cert_mangle/(.*)$ /cert_mangle/$1${unescape:%$2}$3/cert_mangle/$4 [N]
15021502

15031503
# Finally remove certificate marker and unescape previously escaped path
1504-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
1504+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [N]
15051505

15061506
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
15071507
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -2165,15 +2165,15 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
21652165
RewriteCond %{LA-U:REMOTE_USER} !^$
21662166
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
21672167
RewriteRule ^/cert_mangle/(.*) /strip_provider/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,C]
2168-
RewriteRule ^/strip_provider//*(.+)/cert_mangle/(.*) $1/cert_mangle/$2 [NE,N]
2168+
RewriteRule ^/strip_provider//*(.+)/cert_mangle/(.*) /cert_mangle/$1/cert_mangle/$2 [NE,N]
21692169

21702170
# Keep replacing space in DN with underscore
21712171

2172-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
2172+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
21732173

21742174
# Keep replacing slash in DN with plus
21752175

2176-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
2176+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
21772177

21782178
# Finally remove certificate marker and unescape previously escaped path
21792179
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -2187,7 +2187,7 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
21872187
# NOTE: we proxy here to make sure we only target cert mangled paths.
21882188
# It does NOT mean that we skip chroot check below as that will still
21892189
# happen in the new request caused by the proxy'ing.
2190-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
2190+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
21912191

21922192
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
21932193
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -2767,15 +2767,15 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
27672767
RewriteCond %{LA-U:REMOTE_USER} !^$
27682768
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
27692769
RewriteRule ^/cert_mangle/(.*) /strip_provider/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,C]
2770-
RewriteRule ^/strip_provider//*(.+)/cert_mangle/(.*) $1/cert_mangle/$2 [NE,N]
2770+
RewriteRule ^/strip_provider//*(.+)/cert_mangle/(.*) /cert_mangle/$1/cert_mangle/$2 [NE,N]
27712771

27722772
# Keep replacing space in DN with underscore
27732773

2774-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
2774+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
27752775

27762776
# Keep replacing slash in DN with plus
27772777

2778-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
2778+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
27792779

27802780
# Finally remove certificate marker and unescape previously escaped path
27812781
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -2789,7 +2789,7 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
27892789
# NOTE: we proxy here to make sure we only target cert mangled paths.
27902790
# It does NOT mean that we skip chroot check below as that will still
27912791
# happen in the new request caused by the proxy'ing.
2792-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
2792+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
27932793

27942794
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
27952795
# Apache starts chkuserroot prg as a shared daemon for all requests from this
@@ -3693,15 +3693,15 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
36933693
RewriteCond %{REQUEST_URI} ^/cert_redirect/
36943694
RewriteCond %{LA-U:REMOTE_USER} !^$
36953695
RewriteRule ^/cert_redirect/(.*) /cert_mangle/${escape:$1} [C]
3696-
RewriteRule ^/cert_mangle/(.*) %{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,N]
3696+
RewriteRule ^/cert_mangle/(.*) /cert_mangle/%{LA-U:REMOTE_USER}/cert_mangle/$1 [NE,N]
36973697

36983698
# Keep replacing space in DN with underscore
36993699

3700-
RewriteRule ^(.*)\ (.*)/cert_mangle/(.*)$ $1_$2/cert_mangle/$3 [N]
3700+
RewriteRule ^/cert_mangle/(.*)\ (.*)/cert_mangle/(.*)$ /cert_mangle/$1_$2/cert_mangle/$3 [N]
37013701

37023702
# Keep replacing slash in DN with plus
37033703

3704-
RewriteRule ^(.*)/(.*)/cert_mangle/(.*)$ $1+$2/cert_mangle/$3 [N]
3704+
RewriteRule ^/cert_mangle/(.*)/(.*)/cert_mangle/(.*)$ /cert_mangle/$1+$2/cert_mangle/$3 [N]
37053705

37063706
# Finally remove certificate marker and unescape previously escaped path
37073707
# IMPORTANT: all major browsers have trouble to some extent when accessing
@@ -3716,7 +3716,7 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
37163716
# NOTE: we proxy here to make sure we only target cert mangled paths.
37173717
# It does NOT mean that we skip chroot check below as that will still
37183718
# happen in the new request caused by the proxy'ing.
3719-
RewriteRule ^(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
3719+
RewriteRule ^/cert_mangle/(.+)/cert_mangle/(.*)$ /$1/${unescape:$2} [P]
37203720

37213721
# Prevent e.g. symlinks escaping user chroots once past cert mangling.
37223722
# Apache starts chkuserroot prg as a shared daemon for all requests from this

0 commit comments

Comments
 (0)