How do you configure Apache/PHP to accept slashes in query strings?

Question

I have two Apache servers running PHP. One accepts forward-slashes in the query string and passes it along to PHP in the expected way, for example:

http://server/index.php?url=http://foo.bar

works and in PHP this expression is true:

$_REQUEST['url'] == "http://foo.bar"

However, in the other Apache server, the same URL results in a 403 Forbidden error! Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

Clearly there's some difference in the Apache or PHP configuration that causes this, but I can't figure out what!

I want to accept this form of URL in both cases, not reject it.

I am 99.9% sure I've encountered this before but I can't remember for the life of me what I did to fix it. I'm looking around now... — Paolo Bergantino
– Paolo Bergantino, Commented Jan 20, 2009 at 17:02

Alex · Accepted Answer · 2011-11-29 02:12:16Z

A few posts here suggest the OP's usage is wrong, which is false.

Expanding on Sam152's comment, query strings are allowed to contain both ? and / characters, see section 3.4 of http://www.ietf.org/rfc/rfc3986.txt, which is basically the spec written by Tim Berners-Lee and friends governing how the web should operate.

The problem is that poorly written (or poorly configured, or misused) parsers interpret query string slashes as separating path components.

I have seen examples of PHP's pathinfo function being used to parse URL's. Pathinfo wasn't written to parse a URL. You can however extract the path using parse_url then use fileinfo to retrieve details from the path. You will see that parse_url handles / and ? in query strings just fine.

In any case, the overall problem is that this area is poorly understood all-round, even among experienced developers, and most people (myself included until recently) just assume that anything after the filename has to be urlencoded, which is patently false if you take the standards into consideration.

tl;dr Read the spec :)

troelskn · Accepted Answer · 2009-01-20 19:36:05Z

0

http://server/index.php?url=http://foo.bar is not a valid url. You have to encode the slashes. I think browsers do this automagically, so maybe you were testing with different browsers?

Or perhaps it's the AllowEncodedSlashes setting?

answered Jan 20, 2009 at 19:36

troelskn

118k27 gold badges135 silver badges156 bronze badges

2 Comments

Sam Becker Over a year ago

Slashes are allowed in query string, as per RFC: ietf.org/rfc/rfc3986.txt

Taha Jahangir Over a year ago

AllowEncodedSlashes only needed when encoded slash is in path part (which is forbidden by default)

Community · Accepted Answer · 2017-05-23 12:31:11Z

0

Do you have mod_security installed? See this thread:

403 Forbidden on PHP page called with url encoded in a $_GET parameter

edited May 23, 2017 at 12:31

CommunityBot

11 silver badge

answered Jan 5, 2010 at 22:22

user212218

Comments

Ian · Accepted Answer · 2012-01-03 15:11:48Z

0

In your Apache config:

AllowEncodedSlashes On

See the documentation for more information:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

Edit: Hmm, this may be what you already have working... I had this same problem, and what ended up fixing it for me was to just use $_SERVER['REQUEST_URI'] as that had the data I needed.

edited Jan 3, 2012 at 15:11

user212218

answered Jan 20, 2009 at 19:46

Ian

12.3k27 gold badges65 silver badges78 bronze badges

Comments

OIS · Accepted Answer · 2009-01-20 19:27:50Z

-1

You dont specify what PHP does with this url. Does it redirect to this page or try to read it?

There is probably some mod_rewrite rule to remove double slashes, or for some other purpose, which tries to redirect this to somewhere it should not.

Maybe a regex without ^ before http://

edited Jan 20, 2009 at 19:27

answered Jan 20, 2009 at 19:21

OIS

10.1k3 gold badges35 silver badges41 bronze badges

1 Comment

Jason Cohen Over a year ago

PHP does get the page at all -- Apache throws a 403 exception error instead.

jmucchiello · Accepted Answer · 2009-01-20 19:41:21Z

-1

Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

So it works when the query string is properly formatted and doesn't work when it isn't. What's the problem?

answered Jan 20, 2009 at 19:41

jmucchiello

19k7 gold badges45 silver badges62 bronze badges

Comments

UberDragon · Accepted Answer · 2012-01-03 15:12:32Z

-1

This sounds like another case of default magic_quotes_gpc. On the server causing problems check the php.ini and make sure that

magic_quotes_gpc = Off

edited Jan 3, 2012 at 15:12

user212218

answered Jan 20, 2009 at 17:37

UberDragon

92 bronze badges

Collectives™ on Stack Overflow

How do you configure Apache/PHP to accept slashes in query strings?

7 Answers 7

Comments

2 Comments

Comments

Comments

1 Comment

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

7 Answers 7

Comments

2 Comments

Comments

Comments

1 Comment

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related