Hi, I get some weird 403 errors while trying to use unicode urlencoded GET parameters.
With ascii characters it works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' '
http://domain/script.php?action="">'
302
With unicode characters it works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' 'http://domain/script.php?action="">'
302
But with unicode urlencoded characters it does not works:
user@system:~$ curl -s -o /dev/null -I -w '%{http_code}' 'http://domain/script.php?action="">'
403
As you see, the error message wrongly complain about the file path, since the problem is in the GET parameters:
user@system:~$ curl 'http://domain/script.php?action="">' | html2text
****** Forbidden ******
You don't have permission to access /script.php on this server.
Also, when this kind of 403 error happens, the Apache's error log is empty…
Some people are talking about this problem on the web, but they are so few and it's hard to find an usable answer:
http://stackoverflow.com/questions/4862781/apache-escaped-umlauts-in-query-string-url-lead-to-403Here I found a fix, but I don't understand what happens and what it does and if it's safe to use, can you say if this fix is safe to use?
https://wordpress.org/support/topic/strange-403-or-404-forbidden-errors-with-wordpressThis guy does:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
So this guy explicitely disabled some security options, is disabling some security options the only way to get unicode urlencoded GET parameters?
Since you now know which symptom I get and wich option changes the behavior, do you know what happens? Is this a bug?
Thanks in advance.
PS: I'm using Apache 2.2.22 on Debian 7 Wheezy.
--
Thomas DEBESSE
