Hi, I'm investigating the issue and tryng to find what pieces are missing between jammy and plucky that fix that issue.
So far, I could reproduce the issue with the config you pasted: in Jammy: [Tue Apr 22 11:10:18.009699 2025] [rewrite:error] [pid 9771] [client 127.0.0.1:56084] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F [Tue Apr 22 11:10:25.648474 2025] [rewrite:error] [pid 9772] [client 127.0.0.1:36442] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F in Plucky: 127.0.0.1 - - [22/Apr/2025:07:47:57 -0300] "GET /fred HTTP/1.1" 403 491 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103723 Title: Fix for CVE-2024-38474 also blocks %3f in appended query strings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2103723/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
