Redirect Manager Broken for URLs with Query Strings After Apache 2.4.63 Upgrade

[zivkos]

Following a recent AEM as a Cloud Service maintenance release — documented here:
🔗 AEM Maintenance Release Notes — and the upgrade to Apache HTTP Server version 2.4.63, a breaking change was introduced in how mod_rewrite handles question marks (?) in URLs.

As a result of this change, Redirect Manager will no longer function correctly when the target URL includes a ? character. Redirects that previously worked with query strings now fail or behave unexpectedly.

Root Cause:

Apache HTTPD 2.4.63 introduced a change in mod_rewrite that alters how the ? character is processed in rewrite and redirect rules. This impacts scenarios where the destination URL contains a query string.

Workaround:

The only currently known workaround is to explicitly add the UnsafeAllow3F flag to the redirect rule.
This flag re-enables support for ? characters in target URLs, allowing the redirect to function as it did prior to the upgrade.

# The Redirect Manager-managed map
RewriteMap site_redirects dbm=sdbm:/tmp/rewrites/site_redirects.map

# If the redirect mapped value contains `.html`
RewriteCond ${site_redirects:$1} !=""
RewriteCond ${site_redirects:$1} \.html
RewriteRule ^(.*)$ ${site_redirects:$1|/} [R=301,L,UnsafeAllow3F]

# If the redirect mapped value does NOT contain `.html`, append it
RewriteCond ${site_redirects:$1} !=""
RewriteCond ${site_redirects:$1} !\.html
RewriteRule ^(.*)$ ${site_redirects:$1|/}.html [R=301,L,UnsafeAllow3F]

[kwin]

Isn't the issue only with encoded question marks, i.e. %3f (https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_unsafe_allow_3f)? Who encodes the question mark in the case of redirect manager? It seems that

acs-aem-commons/bundle/src/main/java/com/adobe/acs/commons/redirects/filter/RedirectFilter.java

Line 368 in 7c88f0d

boolean handleRedirect(SlingHttpServletRequest slingRequest, SlingHttpServletResponse slingResponse) {

does not do any encoding of the question mark in a query.

[zivkos]

Hi @kwin , All redirect rules containing query strings (e.g., redirecting to /en/somesite.html?utm=value) have started returning a 403 Forbidden status after the latest update of AEM as a Cloud Service.

More details can be found in the release notes:
https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/release-notes/maintenance/latest

Known Issue from lates AEM Release .Note

The Apache HTTP Server version 2.4.63 introduced a breaking change in how mod_rewrite handles question marks (?) in URLs. This change was implemented to eliminate the use of the UnsafeAllow3F flag, previously considered a security risk. Consequently, any RewriteRule directives that rely on question mark detection in URL patterns are affected.

Note that we are putting redirect rule to redirect map so our cloud dispatcher section look like this :

# The Redirect Manager-managed map
RewriteMap site_redirects dbm=sdbm:/tmp/rewrites/site_redirects.map

# If the redirect mapped value contains `.html`
RewriteCond ${site_redirects:$1} !=""
RewriteCond ${site_redirects:$1} \.html
RewriteRule ^(.*)$ ${site_redirects:$1|/} [R=301,L,UnsafeAllow3F]

# If the redirect mapped value does NOT contain `.html`, append it
RewriteCond ${site_redirects:$1} !=""
RewriteCond ${site_redirects:$1} !\.html
RewriteRule ^(.*)$ ${site_redirects:$1|/}.html [R=301,L,UnsafeAllow3F]

Also note that we have to add FLAG UnsafeAllow3F to make this work on new AEM Cloud update version from 15 of July when this update took a place.

So i am not sure where encoding is happening in Redirect Filter or redirect map , but for sure it is happening... Hope it make sense.

[kwin]

There is two similarly named features for redirects in ACS AEM Commons:

1. Redirect Manager: https://adobe-consulting-services.github.io/acs-aem-commons/features/redirect-manager/index.html
2. Redirect Map Manager: https://adobe-consulting-services.github.io/acs-aem-commons/features/redirect-map-manager/index.html

Please clarify with which one you are experiencing issues.

[zivkos]

@kwin Redirect Manager - https://url.au.m.mimecastprotect.com/s/Ici6CzvkLYsQ1qMmH4fDi9-rur?domain=adobe-consulting-services.github.io
And the on AEM Cloud we use this to push redirect on Apache level
https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/pipeline-free-url-redirects

Thanks

[YegorKozlov]

@zivkos as a workaround you can disable the mod_rewrite rules and Redirect Manager will handle the redirects in AEM in a servlet filter. This will work for sure.

[zivkos]

@YegorKozlov Hi, yes, I'm aware of that — thanks for the suggestion. However, in an enterprise setup where you can have up to XYZ short url / redirect rules per site for a large website, it would not be optimal to constantly hit the AEM publishing instance. Therefore, we must have them at the dispatcher level.

At this stage, we have applied the Apache flag UnsafeAllow3F, which is the same advice we received from Adobe Support.

As a side note: We will still investigate on our end to figure out why the redirect with ? is getting encoded to %3F, and where exactly that is happening. If it's not in the AEM servlet, then it must be in the redirect map.