From d079f0b80462b85b7ca0c3d54ed6fc450e2a1274 Mon Sep 17 00:00:00 2001
From: NicoDucou <nicolas@ldd.fr>
Date: Thu, 25 May 2023 15:12:57 +0200
Subject: [PATCH] System: Security: indication on how to fix an apache since
 problem present since version 2.4.38-3 with rediction of URL with spaces not
 working any more - refs BT#20674 and BT#20614

---
 .htaccess | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.htaccess b/.htaccess
index fd70ab2fa5..c10440a8a5 100755
--- a/.htaccess
+++ b/.htaccess
@@ -34,14 +34,23 @@ RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_ur
 # Rewrite everything in the document folder of a course to the download script
 # Except certificate resources, which might need to be accessible publicly to all
 RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]
+# Note : since version 2.4.38-3 of Apache a security fix had a side effect that made redirection with space not to work.
+# To fix this issue we did not have a common syntaxis but it work with one of those 2 options :
+# changing at the end of the following line [QSA,L] for [QSA,L,B=\x20?] or for "[QSA,L,B= ?,BNP]"
 RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]
 
 # Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php)
 RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L]
 # Course upload files
+# Note : since version 2.4.38-3 of Apache a security fix had a side effect that made redirection with space not to work.
+# To fix this issue we did not have a common syntaxis but it work with one of those 2 options :
+# changing at the end of the following line [QSA,L] for [QSA,L,B=\x20?] or for "[QSA,L,B= ?,BNP]"
 RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L]
 
 # Rewrite everything in the work folder
+# Note : since version 2.4.38-3 of Apache a security fix had a side effect that made redirection with space not to work.
+# To fix this issue we did not have a common syntaxis but it work with one of those 2 options :
+# changing at the end of the following line [QSA,L] for [QSA,L,B=\x20?] or for "[QSA,L,B= ?,BNP]"
 RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 [QSA,L]
 
 RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]