httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas DEBESSE <thomas.debe...@diocese-frejus-toulon.com>
Subject [users@httpd] Re: 403 Forbidden on unicode urlencoded GET parameters (SecFilter issue)
Date Tue, 28 Apr 2015 14:10:38 GMT
Sorry for the noise, the customer blindly copypasted a “security rule from
the Internet” in his htaccess, and this was a rules to forbid foreign
characters…

You will laugh with me, he wrote that, then complained about the Forbidden
he got :

> # Rules to block foreign characters in URLs
> RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
> RewriteRule ^(.*)$ - [F]

This topic is solved.

2015-04-28 15:42 GMT+02:00 Thomas DEBESSE <
thomas.debesse@diocese-frejus-toulon.com>:

> Hi, sorry, I don't know why I got a false positive yesterday, but this is
> not related to SecFilter, the options change nothing and removing the whole
> mod_security module changes nothing, so it's not related to mod_security.
>
> So this is my problem:
>
> When a GET parameter use an urlencoded unicode character (like “%C3%A0”)
> Apache answers “403 Forbidden” without logging nothing.
> I just have to call something like that:
> http://domain/script.php?action=Mettre+%C3%A0+jour to get a 403 Forbidden
> answer.
>
> Do you know what is the cause of this problem?
>
> Thank you in advance
>
> --
> Thomas DEBESSE
>



-- 
Thomas DEBESSE

Mime
View raw message