Issue:
We want to block a URL containing a /%2F in it, like: http://www.example.com/%2Fblockme
However, when we add /%2F into BadURLChars ACO parameter list, nothing happens. We have the parameter configured as follows:
badurlchars='/%2f,//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.
Also, if we add %2F into BadURLChars list (without the slash), agent function will break and we get an HTTP error 500 from agent.
As this is not blocked, browser is getting a HTTP 404 error which we do not want to show for security.
Environment:
Web Agent R12.52 SP1 CR01 on Apache 2.2
Cause:
The reason why you are getting the HTTP 404 error is because Apache itself is breaking the URL.
Resolution:
In order to avoid Apache to break the URL, you need to add the Apache directive AllowEncodedSlashes to ON:
Description: | Determines whether encoded path separators in URLs are allowed to be passed through |
Syntax: | AllowEncodedSlashes On|Off|NoDecode |
Default: | AllowEncodedSlashes Off |
Context: | server config, virtual host |
Status: | Core |
Module: | core |
Compatibility: | Available in Apache httpd 2.0.46 and later. NoDecode option available in 2.2.18 and later. |
The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.
With the default value, Off, such URLs are refused with a 404 (Not found) error.
With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.
With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.
Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.
Additional Information:
Apache Documentation - AllowEncodedSlashes Directive
URLEncoded forward slash is breaking URL
KD : TEC1719365