Hi, I get some weird 403 errors while trying to use unicode urlencoded GET
parameters.
With ascii characters it works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' '
http://domain/script.php?action=Mettre+a+jour'
302
With unicode characters it works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' '
http://domain/script.php?action=Mettre+à+jour
<http://domain/script.php?action=Mettre+%C3%A0+jour>'
302
But with unicode urlencoded characters it does not works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' '
http://domain/script.php?action=Mettre+%C3%A0+jour'
403
As you see, the error message wrongly complain about the file path, since
the problem is in the GET parameters:
user@system:~$ curl 'http://domain/script.php?action=Mettre+%C3%A0+jour' |
html2text
****** Forbidden ******
You don't have permission to access /script.php on this server.
Also, when this kind of 403 error happens, the Apache's error log is empty…
Some people are talking about this problem on the web, but they are so few
and it's hard to find an usable answer:
http://stackoverflow.com/questions/4862781/apache-escaped-umlauts-in-query-string-url-lead-to-403
Here I found a fix, but I don't understand what happens and what it does
and if it's safe to use, can you say if this fix is safe to use?
https://wordpress.org/support/topic/strange-403-or-404-forbidden-errors-with-wordpress
This guy does:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
So this guy explicitely disabled some security options, is disabling some
security options the only way to get unicode urlencoded GET parameters?
Since you now know which symptom I get and wich option changes the
behavior, do you know what happens? Is this a bug?
Thanks in advance.
PS: I'm using Apache 2.2.22 on Debian 7 Wheezy.
--
Thomas DEBESSE
