In Progress UPS-505 - AH10411 errors after Apache update (v2.4.56)

[kalexan]

Hello.

After a recent Apache update to v2.4.56 (beginning March 2023), resources that their URL contain spaces and are processed by mod_rewrite, even if spaces are properly encoded (%20 for space char), cannot be served (404 or 401 error). Apache error log is flooded with the following error:

 AH10411: Rewritten query string contains control characters or spaces, referrer: WEBSITE URL

This is a quite new error and I cannot see any reports, except this reference:
https://stackoverflow.com/questions...-managing-spaces-and-20-in-apache-mod-rewrite

Has anybody else experienced the same problem?

 

[cPRex]

Hey hey! Yes, our team is aware of this issue with Apache, and it has been reported upstream as well:

'RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56' - MARC

The Stack Overflow link is the only thing public about this at this point also. Once Apache releases a fix, we'll be sure to apply it! You'll see that under case UPS-505 in the change logs once that fix is released.

 

[horizon2021]

Is it possible to roll-back the Apache version on a server until this AH10411 issue is solved?

Are there instructions for this?

I have not had to roll-back to a previous version of apache to date, but I was shocked today to find multiple sites broken which had spaces in their URLs and would like to solve this as quickly as possible so the websites are not broken.

 

[valentinmanescu]

Hello,

It's a very big issue for our customers too. Please find a solution to roll-back until we received an update.
As I checked here - https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS I see that are 2-5 releases / year, so probably we will have to wait 1-3 months minimum, if the problem will be considered a bug.

Best regards,
Valentin

 

[cPRex]

The official workaround mentioned from Apache is to add a "B" to the rewrites that are experiencing problems. For example:

RewriteRule ^([^?]*) index.php?_route_=$1 [B,L,QSA]

However, that isn't ideal since you need to adjust your code.

I do see Apache has a fix in place and tested here: https://dist.apache.org/repos/dist/dev/httpd/CHANGES_2.4.57

and it looks like they are just waiting to release that, so I would expect that to be sooner than the typical 1-3 months mentioned.

I would not recommend rolling back, since the previous version contains other security fixes.

 

[sparek-3]

You can downgrade Apache back to 2.4.55 with

yum downgrade ea-apache24-2.4.55-2.2.5.cpanel

Or you can see all of the installable candidates with

yum --showduplicates list ea-apache24

 

[horizon2021]

Thanks very much for the help. Greatly appreciated.

 

[kdean]

Apache 2.4.57 is released, so now it's just a matter of cPanel adding it.

 

[kalexan]

Hello!

Any news on this?

 

[cPRex]

We released Apache 2.4.57 on April 12, so this has been out in the wild for a bit now!