How do you configure Apache/PHP to accept slashes in query strings?

StackOverflow https://stackoverflow.com/questions/462082

Question

I have two Apache servers running PHP. One accepts forward-slashes in the query string and passes it along to PHP in the expected way, for example:

http://server/index.php?url=http://foo.bar

works and in PHP this expression is true:

$_REQUEST['url'] == "http://foo.bar"

However, in the other Apache server, the same URL results in a 403 Forbidden error! Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

Clearly there's some difference in the Apache or PHP configuration that causes this, but I can't figure out what!

I want to accept this form of URL in both cases, not reject it.

Was it helpful?

Solution

http://server/index.php?url=http://foo.bar is not a valid url. You have to encode the slashes. I think browsers do this automagically, so maybe you were testing with different browsers?

Or perhaps it's the AllowEncodedSlashes setting?

OTHER TIPS

A few posts here suggest the OP's usage is wrong, which is false.

Expanding on Sam152's comment, query strings are allowed to contain both ? and / characters, see section 3.4 of http://www.ietf.org/rfc/rfc3986.txt, which is basically the spec written by Tim Berners-Lee and friends governing how the web should operate.

The problem is that poorly written (or poorly configured, or misused) parsers interpret query string slashes as separating path components.

I have seen examples of PHP's pathinfo function being used to parse URL's. Pathinfo wasn't written to parse a URL. You can however extract the path using parse_url then use fileinfo to retrieve details from the path. You will see that parse_url handles / and ? in query strings just fine.

In any case, the overall problem is that this area is poorly understood all-round, even among experienced developers, and most people (myself included until recently) just assume that anything after the filename has to be urlencoded, which is patently false if you take the standards into consideration.

tl;dr Read the spec :)

Do you have mod_security installed? See this thread:

403 Forbidden on PHP page called with url encoded in a $_GET parameter

In your Apache config:

AllowEncodedSlashes On

See the documentation for more information:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

Edit: Hmm, this may be what you already have working... I had this same problem, and what ended up fixing it for me was to just use $_SERVER['REQUEST_URI'] as that had the data I needed.

You dont specify what PHP does with this url. Does it redirect to this page or try to read it?

There is probably some mod_rewrite rule to remove double slashes, or for some other purpose, which tries to redirect this to somewhere it should not.

Maybe a regex without ^ before http://

Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

So it works when the query string is properly formatted and doesn't work when it isn't. What's the problem?

This sounds like another case of default magic_quotes_gpc. On the server causing problems check the php.ini and make sure that

magic_quotes_gpc = Off
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top