fix rewritecond expr regression in 2.4.64

covener · covener · commit 8abb3d06b239 · 2025-07-21T11:12:44.000Z
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 (cve.mitre.org) A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. Reviewed By: covener, ylavic, gbechis, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927361 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
@@ -4276,8 +4276,9 @@ static cond_return_type apply_rewrite_cond(rewritecond_entry *p, rewrite_ctx *ct
                 rc = COND_RC_NOMATCH;
             }
             else {
-                rc = COND_RC_MATCH;
+                rc = (rc > 0) ? COND_RC_MATCH : COND_RC_NOMATCH;
             }
+
             /* update briRC backref info */
             if (rc && !(p->flags & CONDFLAG_NOTMATCH)) {
                 ctx->briRC.source = source;

Original file line number	Diff line number	Diff line change
`@@ -4276,8 +4276,9 @@ static cond_return_type apply_rewrite_cond(rewritecond_entry p, rewrite_ctx ct`
`4276`	`4276`	`rc = COND_RC_NOMATCH;`
`4277`	`4277`	`}`
`4278`	`4278`	`else {`
`4279`		`- rc = COND_RC_MATCH;`
	`4279`	`+ rc = (rc > 0) ? COND_RC_MATCH : COND_RC_NOMATCH;`
`4280`	`4280`	`}`
	`4281`	`+`
`4281`	`4282`	`/* update briRC backref info */`
`4282`	`4283`	`if (rc && !(p->flags & CONDFLAG_NOTMATCH)) {`
`4283`	`4284`	`ctx->briRC.source = source;`