httpd-users-de mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: [mod-security-users] is there a way to replace &amp; with & in URLs
Date Tue, 21 Aug 2012 19:51:40 GMT
you completly missunderstood what i am saying

there is no problem with "arg_separator.output"

there are only a lot of problems with by stupidity
broken clients not able to handle a 100% valid
<a href="/your-script.php?test1=1&amp;test2=0">
and following the URL with &amp; in the request
to the webserver INSTEAD decode the entity

this is plain wrong, there are hundrets of robots
doing it wrong and there are many clients (java,
apple-software) doing it also wrong what means
finally that the variable "test2" never reaches
the script leading to have hundrets of duplicate
contents form the view of this crap-clients

and yes you MUST encode & in a href with &amp; if
you are using html-validators to verify your work
and before i write any software producing invalid
HTML i leave this business at all
__________________

the following mod_rewrite-rule does the trick but
i would be much more satisfied if mod_security could
do this replace instead having mod_rewrite active on
some hundret domains with the overhead of a normally
not needed and problably even not loaded module

<Directory />
 <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{QUERY_STRING} (.*)&amp;(.*)
  RewriteRule .* %{REQUEST_URI}?%1&%2 [N,R=301]
 </IfModule>
</Directory>


Am 21.08.2012 18:26, schrieb Mario Brandt:
> Usualy that is set in php.ini
> see arg_separator.output
> 
> On Tue, Aug 21, 2012 at 12:44 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>
>>
>> Am 21.08.2012 12:37, schrieb Josh Amishav-Zlatin:
>>> On Tue, Aug 21, 2012 at 11:57 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
>>>
>>>     /show_content.php?sid=126&amp;detail_id=3984
>>>
>>>     i have a modsec-rule to kill such requests because they
>>>     will never show the expected content - is there a way
>>>     for modsec or httpd to replace them with the correct &
>>>     and fix this transparent?
>>>
>>> Hi Reindl,
>>> Mod_Rewrite should be able to help
>>
>> i doubt mod_rewrite for some hundret of vhosts before
>> the application firewall will not be so good :-(
>>
>> it is so frustrating that there are so many broken
>> mail-clients and robots which are too stupid to
>> handle correct encoded HTML-URLs in a proper way
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-de-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-de-help@httpd.apache.org
> 

-- 

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofm├╝hlgasse 17
CTO / CISO / Software-Development
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm


Mime
View raw message