Sunday, January 2, 2022

[FIXED] URL with encoded slashes goes to 404

      , , , ,      No comments   

Issue

I use user-provided content to generate URLs.

One of my URL had for title Kikar Habusiness - émission du 2/12/12, which converted to the URL /url/Kikar+Habusiness+-+émission+du+2%2F12%2F12.

It goes to a 404. If I remove the %2F from the URL it works fine.

An interesting thing is that my php code (using Yii) usually handles 404 with custom pages, but this one returns a default Apache 404. Which leads me to believe it doesn't even reach my bootstrap file.

The .htaccess reads:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php

My Yii parseUrl reads:

public function parseUrl($manager, $request, $pathInfo, $rawPathInfo) {
        if(preg_match('%^url/(\d+)%',$pathInfo,$matches)){
            $_GET['id'] = $matches[1];
            return 'url/view';
        }
        else if(preg_match('%^category/(\d+)%',$pathInfo,$matches)){
            $_GET['id'] = $matches[1];
            return 'category/view';
        }
        return false;
    }

My URL slug generator is:

public static function slug($title){
        $title = ToolBox::trim($title,60,false);
        $title = urlencode($title);
        return $title;
    }

Note that I cannot have basic ASCII URLs, because some of the content is non-latin (such as Hebrew or Arabic).


Solution

This is a common problem in Apache and nothing to do with Yii fortunately.

Apache will automatically block any URL it sees with encoded URL parts %2F (/) and %5C (\). It won't even reach any mod_proxy or mod_rewrite rules.

There are a number of ways around this without changing too much code, depending on your environment, including:

  • "AllowEncodedSlashes" Directive
  • Double urlencode() values

See here for a full list and instructions: http://www.jampmark.com/web-scripting/5-solutions-to-url-encoded-slashes-problem-in-apache.html

More info as the link is down
If you have access to it, you can enable the AllowEncodedSlashes directive, it's a very old semi-security fix that it's turned off by default anyway. This will get round the problem. If you can't access the Apache configs, then you'll have to look into the other solutions.



Answered By - Paystey

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...