Hi, Thanks for the reply. It looks that Apache is handling the malformed params properly, but not with phusion passenger module. I've already created an issue on PP project. If this will not get resolved I will create a simple rule with mod_taint Best regards Jakub Nieznalski 2013/2/5 Nick Kew <nick@xxxxxxxxxxxx>: > > On 5 Feb 2013, at 14:29, Jakub Nieznalski wrote: > >> Hi, >> >> I've got problem that Apache accepts malformed URI, for example localhost/?foo=bar% The percent sign makes that request unvalid, but Apache will accept that. Nginx, or Unicorn will respond with 400. > > That's a request for URL / , with parameters foo=bar% > > I'd guess nothing in your server is looking at the parameters. > If it's a static page and there's no complex configuration that > might be affected by parameters, why should the server waste > its time? > > Note that if you request /foo=bar% you will indeed get a 400. > >> How can I achieve the same result? Is there any mod or rule that will tell apache to return 400 for invalid request? > > If you want to protect some vulnerable application, a WAF. > For a simpler solution to just the question, mod_taint. > > -- > Nick Kew > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|