2

I use user-provided content to generate URLs.

One of my URL had for title Kikar Habusiness - émission du 2/12/12, which converted to the URL /url/Kikar+Habusiness+-+émission+du+2%2F12%2F12.

It goes to a 404. If I remove the %2F from the URL it works fine.

An interesting thing is that my php code (using Yii) usually handles 404 with custom pages, but this one returns a default Apache 404. Which leads me to believe it doesn't even reach my bootstrap file.

The .htaccess reads:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php

My Yii parseUrl reads:

public function parseUrl($manager, $request, $pathInfo, $rawPathInfo) {
        if(preg_match('%^url/(\d+)%',$pathInfo,$matches)){
            $_GET['id'] = $matches[1];
            return 'url/view';
        }
        else if(preg_match('%^category/(\d+)%',$pathInfo,$matches)){
            $_GET['id'] = $matches[1];
            return 'category/view';
        }
        return false;
    }

My URL slug generator is:

public static function slug($title){
        $title = ToolBox::trim($title,60,false);
        $title = urlencode($title);
        return $title;
    }

Note that I cannot have basic ASCII URLs, because some of the content is non-latin (such as Hebrew or Arabic).

Nathan H
  • 48,033
  • 60
  • 165
  • 247

2 Answers2

4

This is a common problem in Apache and nothing to do with Yii fortunately.

Apache will automatically block any URL it sees with encoded URL parts %2F (/) and %5C (\). It won't even reach any mod_proxy or mod_rewrite rules.

There are a number of ways around this without changing too much code, depending on your environment, including:

  • "AllowEncodedSlashes" Directive
  • Double urlencode() values

See here for a full list and instructions: http://www.jampmark.com/web-scripting/5-solutions-to-url-encoded-slashes-problem-in-apache.html

More info as the link is down
If you have access to it, you can enable the AllowEncodedSlashes directive, it's a very old semi-security fix that it's turned off by default anyway. This will get round the problem. If you can't access the Apache configs, then you'll have to look into the other solutions.

Daniel-KM
  • 174
  • 1
  • 1
  • 13
Paystey
  • 3,287
  • 2
  • 18
  • 32
  • Attached link is down. I'm not sure what %5C represents? If it's just those 2 characters, I plan to simply str_replace them with an empty string. I managed with the slash, but I'm not sure what to search for the second one. – Nathan H Dec 12 '12 at 12:46
  • Oh! That linked worked not an hour ago. I'll leave it there in case it's a temporary problem. The editor also hid the backslash in the bracket becuase it thought it was escaping something, fixed that. – Paystey Dec 12 '12 at 13:02
  • I simply replaced the 2 forbidden characters with empty strings, as I am not using the actual string for anything - just for show for the users and the search engines. – Nathan H Dec 24 '12 at 11:28
  • Archive url: https://web.archive.org/web/20130116061518/http://www.jampmark.com/web-scripting/5-solutions-to-url-encoded-slashes-problem-in-apache.html – Daniel-KM Jul 04 '20 at 07:54
  • Double url encode is not recommended by w3c, so the more compliant solution is the Apache directive with the value `NoDecode` for security: `AllowEncodedSlashes NoDecode` – Daniel-KM Jul 04 '20 at 08:32
0

The jampark url redirectsto an incorrect page, use the bellow url: http://www.leakon.com/archives/865

C oneil
  • 157
  • 1
  • 4